CVE-2026-39369
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Produtos afetados
WWBN · AVideoQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →