CVE-2026-45731

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description An issue exists in the 'view/update.php' endpoint where the updateFile parameter is processed as a relative path under the 'updatedb/' directory and passed to the PHP file() function for line-by-line execution during database migrations. Because the updateFile variable is concatenated into a path without sanitization, an authenticated administrator can use path traversal to read arbitrary text files accessible by the web-server process, such as '/etc/passwd' or '.env' files.

Recommendations Update AVideo to a version later than 29.0. As a temporary workaround, restrict access to the 'view/update.php' endpoint to only the most trusted administrators.