CVE-2026-33293 | WWBN AVideo up to 25.x cloneServer.json.php unlink deleteDump path traversal

VDB-352468 · CVE-2026-33293 · GCVE-0-2026-33293 WWBN AVIDEO UP TO 25.X CLONESERVER.JSON.PHP UNLINK DELETEDUMP PATH TRAVERSAL HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.6 $0-$5k 3.97+ Summaryinfo A vulnerability was found in WWBN AVideo up to 25.x and classified as critical. The affected element is the function unlink of the file plugin/CloneSite/cloneServer.json.php. Executing a manipulation of the argument deleteDump can lead to path traversal. This vulnerability appears as CVE-2026-33293. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component. Detailsinfo A vulnerability classified as critical was found in WWBN AVideo up to 25.x. This vulnerability affects the function unlink of the file plugin/CloneSite/cloneServer.json.php. The manipulation of the argument deleteDump with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect integrity, and availability. CVE summarizes: WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue. The advisory is shared for download at github.com. This vulnerability was named CVE-2026-33293 since 03/18/2026. The exploitation appears to be easy. The attack can be initiated remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1006. By approaching the search of inurl:plugin/CloneSite/cloneServer.json.php it is possible to find vulnerable targets with Google Hacking. Upgrading to version 26.0 eliminates this vulnerability. Productinfo Vendor WWBN Name AVideo Version 25.x License open-source Website Product: https://github.com/WWBN/AVideo/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.7 VulDB Meta Temp Score: 6.6 VulDB Base Score: 5.4 VulDB Temp Score: 5.2 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 8.1 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Path traversal CWE: CWE-22 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: AVideo 26.0 Timelineinfo 03/18/2026 CVE reserved 03/22/2026 +4 days Advisory disclosed 03/22/2026 +0 days VulDB entry created 03/22/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33293 (🔒) GCVE (CVE): GCVE-0-2026-33293 GCVE (VulDB): GCVE-100-352468 Entryinfo Created: 03/22/2026 17:55 Changes: 03/22/2026 17:55 (66) Complete: 🔍 Cache ID: 99:2EF:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸