CVE-2026-39369
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Productos afectados
WWBN · AVideo¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →