{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T14:56:32.891","vulnerabilities":[{"cve":{"id":"CVE-2026-33681","sourceIdentifier":"security-advisories@github.com","published":"2026-03-23T19:16:41.540","lastModified":"2026-03-25T18:03:12.663","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint 'objects/pluginRunDatabaseScript.json.php' acepta un parámetro 'name' vía POST y lo pasa a 'Plugin::getDatabaseFileName()' sin ninguna sanitización de salto de ruta. Esto permite a un administrador autenticado (o a un atacante vía CSRF) atravesar fuera del directorio del plugin y ejecutar el contenido de cualquier archivo 'install/install.sql' en el sistema de archivos como consultas SQL sin procesar contra la base de datos de la aplicación. El commit 81b591c509835505cb9f298aa1162ac64c4152cb contiene un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"26.0","matchCriteriaId":"774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}