CVE-2026-46337: AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`

May 19, 2026 (updated June 9, 2026)

The endpoint requires no authentication. An unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application’s normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal.

References

github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq
github.com/advisories/GHSA-w4qq-74h6-58wq
nvd.nist.gov/vuln/detail/CVE-2026-46337

Code Behaviors & Features

Detect and mitigate CVE-2026-46337 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →