{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39369", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:24:33.421Z", "dateUpdated": "2026-04-08T14:37:21.842Z"}, "containers": {"cna": {"title": "WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:24:33.421Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL."}], "source": {"advisory": "GHSA-f4f9-627c-jh33", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:36:32.298649Z", "id": "CVE-2026-39369", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:37:21.842Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39369", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:36:32.298649Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:37:16.894Z"}}], "cna": {"title": "WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs", "source": {"advisory": "GHSA-f4f9-627c-jh33", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:24:33.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39369", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:37:21.842Z", "dateReserved": "2026-04-06T21:29:17.350Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:24:33.421Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL."}], "id": "CVE-2026-39369", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:31.320", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T22:20:37.652560+00:00", "value": {"mitigation_remediation": ["Upgrade to WWBN AVideo version 26.1 or later when it is released; if an official patch is not yet available, disable the GIF poster feature for authenticated uploads until a fix is deployed.", "Restrict access to the /videos/ directory by applying stricter file system permissions to prevent unprivileged users from accessing the GIF storage path.", "Enforce tighter authentication controls and monitor upload activity for abnormal patterns that could indicate exploitation.", "If a temporary workaround is necessary, block access to the /videos/... endpoint for unauthenticated users and validate or sanitize all file paths before fetching media."], "summary": {"action": "Patch", "impact": "Local File Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects the open source WWBN AVideo platform, specifically all releases version 26.0 and earlier. Administrators or users who have uploaded content to the platform are able to exploit this flaw. Clients using older AVideo deployments are therefore at risk until the platform is updated.", "description_and_impact": "The vulnerability resides in the GIF poster generation component of WWBN AVideo. An authenticated uploader can request the same-origin /videos/... URL to trigger object/aVideoEncoderReceiveImage.json.php, which mistakenly allows directory traversal before accessing files in the GIF storage directory. This flaw lets a malicious user read arbitrary server\u2011side files, such as /etc/passwd or the application's source code, and ship them back through a publicly accessible GIF media URL. The weakness is a classic path traversal condition, specifically CWE\u201122, and results in confidentiality loss of sensitive filesystem content.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high\u2011severity threat. Because the exploitation requires authentication as an uploader, an attacker must have valid account credentials, which reduces the overall attack surface compared to unauthenticated flaws. EPSS data is not available, and the vulnerability is not listed in the KEV catalog, but the high severity score suggests it should be treated with urgency. The attacker can compromise confidentiality but cannot directly execute code on the server through this vector."}}}}, "created": "2026-04-08T19:34:43.207793+00:00", "updated": "2026-04-08T19:46:18.215642+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}