{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33681", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.931Z", "datePublished": "2026-03-23T18:39:33.513Z", "dateUpdated": "2026-03-24T16:13:23.412Z"}, "containers": {"cna": {"title": "AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr"}, {"name": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:40:41.680Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch."}], "source": {"advisory": "GHSA-3hwv-x8g3-9qpr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T16:12:43.923265Z", "id": "CVE-2026-33681", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:13:23.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33681", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T16:12:43.923265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:13:14.607Z"}}], "cna": {"title": "AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name", "source": {"advisory": "GHSA-3hwv-x8g3-9qpr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb", "name": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:40:41.680Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33681", "state": "PUBLISHED", "dateUpdated": "2026-03-24T16:13:23.412Z", "dateReserved": "2026-03-23T16:34:59.931Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:39:33.513Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint 'objects/pluginRunDatabaseScript.json.php' acepta un par\u00e1metro 'name' v\u00eda POST y lo pasa a 'Plugin::getDatabaseFileName()' sin ninguna sanitizaci\u00f3n de salto de ruta. Esto permite a un administrador autenticado (o a un atacante v\u00eda CSRF) atravesar fuera del directorio del plugin y ejecutar el contenido de cualquier archivo 'install/install.sql' en el sistema de archivos como consultas SQL sin procesar contra la base de datos de la aplicaci\u00f3n. El commit 81b591c509835505cb9f298aa1162ac64c4152cb contiene un parche."}], "id": "CVE-2026-33681", "lastModified": "2026-03-25T18:03:12.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:41.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T20:04:25.265341+00:00", "value": {"mitigation_remediation": ["Apply the official patch referenced by commit\u00a081b591c509835505cb9f298aa1162ac64c4152cb", "Verify that the latest version of AVideo is deployed and that no older vulnerable files remain on the server", "Restrict the pluginRunDatabaseScript.json.php endpoint to administrators only and ensure proper CSRF protection is enforced", "Audit database logs for unexpected SQL execution patterns and monitor for unauthorized admin activity"], "summary": {"action": "Install patch", "impact": "Arbitrary execution of SQL files via path traversal leading to database compromise"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source video platform developed by WWBN, known as AVideo. Versions of the software up through 26.0 contain the flaw. Any deployment of AVideo within these version ranges is susceptible if the pluginRunDatabaseScript.json.php endpoint is reachable and an admin or CSRF token can be leveraged.", "description_and_impact": "The vulnerability arises from the pluginRunDatabaseScript.json.php endpoint in AVideo, which accepts a server-side name parameter through a POST request and passes it directly to the Plugin::getDatabaseFileName() function without sanitizing for path traversal characters. This flaw allows an authenticated administrator, or an attacker who can perform a cross\u2011site request forgery on an authenticated admin session, to specify a filename that points outside the plugin directory. The endpoint then interprets the selected file as a raw SQL script and executes its contents against the application database. An attacker exploiting this flaw could run arbitrary SQL commands, potentially extracting sensitive data, modifying or deleting records, and compromising the integrity and confidentiality of the platform. The impact is therefore a form of remote database code execution rather than arbitrary system code execution.", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a 7.2 (High) severity to this flaw, reflecting significant potential damage if exploited. The Exploit Prediction Scoring System reports an exploitation probability of less than 1\u202f%, indicating that while feasible, it is unlikely to be targeted widely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly disclosed exploits are known. A likely attack path requires authenticated administrative access or a successful CSRF attack, after which the attacker can supply a malicious pathname to execute arbitrary SQL files located anywhere on the file system. The presence of a patch in the project\u2019s repository mitigates the risk once applied."}}}}, "created": "2026-03-24T10:33:17.755929+00:00", "updated": "2026-03-25T20:37:09.457068+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}