{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T14:54:29.426","vulnerabilities":[{"cve":{"id":"CVE-2026-33292","sourceIdentifier":"security-advisories@github.com","published":"2026-03-22T17:17:08.753","lastModified":"2026-03-23T16:18:24.447","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el endpoint de streaming HLS ('view/hls.php') es vulnerable a un ataque de salto de ruta que permite a un atacante no autenticado transmitir cualquier video privado o de pago en la plataforma. El parámetro GET 'videoDirectory' se utiliza en dos rutas de código divergentes — una para la autorización (que trunca en el primer segmento '/') y otra para el acceso a archivos (que conserva las secuencias de salto '..') — creando una condición de 'oráculo dividido' donde la autorización se verifica contra un video mientras que el contenido se sirve desde otro. La versión 26.0 contiene una solución para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndExcluding":"26.0","matchCriteriaId":"B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}