{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41062", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T22:57:26.304Z", "dateUpdated": "2026-04-22T17:57:23.136Z"}, "containers": {"cna": {"title": "WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33"}, {"name": "https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d"}, {"name": "https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:57:26.304Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix."}], "source": {"advisory": "GHSA-m63r-m9jh-3vc6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:56:29.782727Z", "id": "CVE-2026-41062", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:57:23.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41062", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:56:29.782727Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:56:49.800Z"}}], "cna": {"title": "WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters", "source": {"advisory": "GHSA-m63r-m9jh-3vc6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d", "name": "https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441", "name": "https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:57:26.304Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41062", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:57:23.136Z", "dateReserved": "2026-04-16T16:43:03.173Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T22:57:26.304Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix."}], "id": "CVE-2026-41062", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:21.520", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m63r-m9jh-3vc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T06:12:58.155931+00:00", "value": {"mitigation_remediation": ["Upgrade to a version that includes commit bd11c16, which implements the proper validation of the full URL string.", "If an upgrade is not immediately feasible, apply the patch manually by replacing the vulnerable functions or merging the commit into the deployment.", "Restrict access to the ReceiveImage endpoint to trusted networks or enforce authentication so that only authorized clients can use the downloadURL parameter."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file read via directory traversal"}, "threat_synthesis": {"affected_systems": "WWBN AVideo versions 29.0 and earlier are affected, as they include the buggy handler functions. The issue was introduced in commit 2375eb5e0 and remains until the patch applied in commit bd11c16ec894698e54e2cdae25026c61ad1ed441.", "description_and_impact": "The vulnerability arises from an incomplete validation of the downloadURL query string in the AVideo ReceiveImage endpoint, allowing an attacker to supply a \"/videos/../../\" traversal payload that bypasses the path check and causes the server to retrieve local files. This directory traversal flaw can be exploited to read arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or source code and paving the way for further compromise.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is currently unavailable, suggesting that no high\u2011impact exploitation trend is documented. The vulnerability is not listed in the CISA KEV catalog. As the directory traversal is triggered via a crafted HTTP request, the likely attack vector is remote traffic directed at the API endpoint; an attacker only needs network access to the host. Given the impact of arbitrary file read, any compromise of this resource can lead to sensitive disclosure and further exploitation. While no active exploitation has been reported currently, the flaw warrants prompt remediation."}}}}, "created": "2026-04-22T04:30:05.305956+00:00", "updated": "2026-04-22T06:15:10.419304+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}