CVE-2026-33238: AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration

March 19, 2026

The listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4
github.com/advisories/GHSA-4wmm-6qxj-fpj4
nvd.nist.gov/vuln/detail/CVE-2026-33238

Code Behaviors & Features

Detect and mitigate CVE-2026-33238 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →