CVE-2026-33681: AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

March 25, 2026

The objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName() without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any install/install.sql file on the filesystem as raw SQL queries against the application database.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb
github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr
github.com/advisories/GHSA-3hwv-x8g3-9qpr
github.com/advisories/GHSA-v8jw-8w5p-23g3
nvd.nist.gov/vuln/detail/CVE-2026-33681

Code Behaviors & Features

Detect and mitigate CVE-2026-33681 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →