What Happened

A high-severity vulnerability, identified as CVE-2026-39369, has been discovered in WWBN AVideo, an open-source video platform widely utilized by organizations for video hosting and streaming. The vulnerability affects versions 26.0 and earlier and was uncovered in the file objects/aVideoEncoderReceiveImage.json.php. This flaw allows authenticated users to exploit a server-side endpoint to access and retrieve sensitive local files on the server. The exposure of such sensitive files could lead to severe information leakage and further exploitation if left unpatched.

The vulnerability was discovered during an internal security review in early 2026. As of the discovery, there have been no reports of this vulnerability being publicly exploited in the wild. However, the potential impact of CVE-2026-39369 on exposed servers and sensitive data is considerable, prompting immediate attention from organizations using the affected software versions.

Technical Details

CVE-2026-39369 is classified as a path traversal vulnerability with a CVSS score of 7.6. The root cause lies in the objects/aVideoEncoderReceiveImage.json.php script, which an attacker can manipulate to bypass existing traversal protections. The vulnerability is triggered when an authenticated uploader target same-origin /videos/... URLs, effectively bypassing the built-in scrubber meant to prevent unauthorized access to server directories. This flawed functionality enables attackers to read arbitrary server-local files, including sensitive configuration and application source files.

The attack vector centers around the GIF poster storage path, which can be exploited to re-publish any retrieved sensitive data through publicly accessible GIF URLs. While the vulnerability requires authentication, any compromised or malicious user with upload permissions can potentially leverage this flaw to breach server confidentiality. Known Indicators of Compromise (IOCs) include unusual access logs showing unauthorized read attempts on server-local files.

Impact

The primary impact of CVE-2026-39369 is unauthorized access to sensitive files located on the affected server. This includes files such as /etc/passwd, which contain critical information about user accounts and system configurations. The exposure of such files poses a risk not only to the confidentiality of system data but also provides a foothold for attackers to execute further privileged operations.

The scale of the impact largely depends on the server's role and the sensitivity of the data stored within these local files. Given the popularity of WWBN AVideo as a video hosting platform, organizations utilizing unpatched versions face both immediate security threats and potential reputational damage if the vulnerability is exploited.

What To Do

  • Upgrade Immediately: Organizations using WWBN AVideo versions 26.0 and earlier should upgrade to the latest secure version as soon as possible.
  • Restrict Access: Limit upload permissions to trusted users only to minimize the risk of exploitation by unauthorized users.
  • Review Logs: Monitor server logs for any irregular access patterns that might indicate attempted exploitation of this vulnerability.
  • Apply Firewall Rules: Implement strict firewall rules to restrict access to unknown or as-yet unidentified endpoints.
  • Perform Regular Audits: Conduct regular security audits and code reviews focusing on file upload endpoints.

Entities relying on WWBN AVideo should address this vulnerability as a priority to prevent unauthorized access and potential data breaches. Vigilant monitoring and prompt application of security patches will mitigate risks associated with this path traversal flaw.