CVE-2026-46337 WWBN CVE debrief

Who should care

Organizations running WWBN AVideo 29.0 or earlier; security teams responsible for content management platforms; hosting providers with multi-tenant AVideo deployments; privacy officers concerned with unauthorized access to user profile images and private media assets

Technical summary

The vulnerability exists in an image-serving endpoint that fails to properly validate and sanitize user-supplied file paths. The endpoint accepts path parameters that can traverse outside intended directories using '..' sequences, allowing access to any image file readable by the PHP process. This bypasses application-level ACLs that normally gate access to sensitive images such as private user profile photos, administrative thumbnails, and poster frames for encrypted video content. The vulnerability also exposes image assets from other applications co-located on the same server if they reside in directories reachable via traversal from the AVideo web root.

Defensive priority

high

Recommended defensive actions

• Upgrade WWBN AVideo to a version newer than 29.0 once a patched release is available from the vendor
• Review and restrict filesystem permissions for the PHP user to limit accessible directories
• Implement network-level access controls to restrict exposure of AVideo instances to untrusted networks
• Monitor access logs for anomalous requests to image-serving endpoints that may indicate traversal attempts
• Validate that image-serving endpoints enforce proper path normalization and access control checks

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-w4qq-74h6-58wq. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, with low confidentiality impact. NVD status is 'Undergoing Analysis' as of disclosure date.

Official resources