CVE-2026-39369: WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

April 8, 2026

objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path.

The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33
github.com/advisories/GHSA-f4f9-627c-jh33
nvd.nist.gov/vuln/detail/CVE-2026-39369

Code Behaviors & Features

Detect and mitigate CVE-2026-39369 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →