CVE-2026-33293— AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter

AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

对路径名的限制不恰当(路径遍历)

WWBN AVideo 路径遍历漏洞

WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0之前版本存在路径遍历漏洞，该漏洞源于cloneServer.json.php中的deleteDump参数未经路径清理直接传递给unlink函数，可能导致具有有效克隆凭据的攻击者使用路径遍历序列删除服务器上的任意文件。

N/A

N/A