CVE-2026-45731 WWBN CVE debrief

Who should care

Organizations running WWBN AVideo 29.0 or earlier with administrator-level users; security teams responsible for PHP application security; hosting providers offering AVideo deployments; and administrators managing video platform infrastructure.

Technical summary

The vulnerability resides in view/update.php where user-supplied input via $_POST['updateFile'] is used to construct a file path without adequate sanitization. The constructed path is passed to PHP's file() function for line-by-line reading during database migration operations. An authenticated administrator can manipulate the updateFile parameter using directory traversal sequences (e.g., ../) to escape the intended updatedb/ directory and read arbitrary text files accessible to the web server process. This represents a classic path traversal (CWE-22) vulnerability with confidentiality impact.

Defensive priority

MEDIUM

Recommended defensive actions

• Upgrade WWBN AVideo to a version newer than 29.0 once a patched release becomes available
• Review and restrict administrator account access to trusted personnel only
• Implement additional access controls and monitoring on the view/update.php endpoint
• Audit web server file permissions to limit file exposure
• Consider implementing Web Application Firewall (WAF) rules to detect and block path traversal attempts in the updateFile parameter

Evidence notes

The vulnerability exists in the view/update.php component of WWBN AVideo versions 29.0 and earlier. The issue stems from insufficient path validation on the 'updateFile' POST parameter, which is used to construct a file path for PHP's file() function. The CVSS 4.0 vector indicates network attack vector with low attack complexity, high privileges required (administrator), and high confidentiality impact with no integrity or availability impact. The weakness is classified as CWE-22 (Path Traversal).

Official resources