CVE-2026-46337

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description An unauthenticated remote attacker can read arbitrary image files from the disk that the PHP user has permission to open. This includes private user-profile photos protected by Access Control Lists (ACLs), admin-uploaded thumbnails, encrypted-video poster frames, and image content in sibling-app directories. The issue is caused by a path traversal flaw where the application fails to filter .. segments or validate the destination path, allowing access to files outside the intended directory. The vulnerability is located in the endpoint "/view/img/image404Raw.php" via the image parameter, which is passed directly to the readfile() function. The application uses getimagesize() to verify if a file is an image, but this only checks magic bytes (file headers) and does not restrict the file path. Additionally, the use of $ SERVER["REQUEST URI"] as a fallback when the image parameter is empty further increases the attack surface.

Recommendations For versions 29.0 and earlier, implement the following security measures in the "/view/img/image404Raw.php" endpoint: