CVE-2026-41062

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description A directory traversal flaw exists where a security check in 'objects/aVideoEncoderReceiveImage.json.php' only validates the URL path component for traversal sequences. However, the try get contents from local() function in 'objects/functionsFile.php' processes the full URL string, including the query string, using explode('/videos/', $url). This allows an attacker to bypass the check by placing a traversal payload in the query string to read arbitrary files from the server filesystem.

Recommendations Update to a version containing commit bd11c16ec894698e54e2cdae25026c61ad1ed441.