CVE-2026-46337

5.3 MEDIUM

WWBN AVideo is an open source video platform

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-22

Affected products

Vendor	Product
wwbn	avideo

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46337
[Vendor advisory]https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq
[Vendor advisory]https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq

Related CVEs

Same vendor

CVE-2026-47696 — WWBN AVideo is an open source video platform (4.3 MEDIUM)
CVE-2026-47694 — WWBN AVideo is an open source video platform (5.4 MEDIUM)
CVE-2026-45731 — WWBN AVideo is an open source video platform (4.9 MEDIUM)
CVE-2026-45620 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
CVE-2026-45619 — WWBN AVideo is an open source video platform (6.5 MEDIUM)

Same CWE

CVE-2026-52726 — Dulwich is a pure-Python implementation of the Git file formats and protocols (7.5 HIGH)
CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-47712 — Dulwich is a pure-Python implementation of the Git file formats and protocols (3.3 LOW)
CVE-2026-46703 — Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (9.6 CRITICAL)
CVE-2026-42305 — Dulwich is a pure-Python implementation of the Git file formats and protocols (8.8 HIGH)