CVE-2026-39369

Published April 8, 2026 · Updated April 8, 2026

7.6CVSS

high

What This Means

CVE-2026-39369 is a high-severity vulnerability in WWBN AVideo versions 26.0 and earlier. It allows an authenticated user to exploit the `objects/aVideoEncoderReceiveImage.json.php` endpoint to retrieve sensitive server files, such as `/etc/passwd`, by bypassing traversal protections. Organizations using affected versions should immediately upgrade to the latest release to mitigate this risk.

Official Description+

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-39369.

Related Coverage

Vvulnerability

Critical Vulnerability in WWBN AVideo Versions 26.0 and Earlier Exposes Sensitive Files

CVE-2026-39369 affects WWBN AVideo versions 26.0 and earlier, allowing authenticated users to read sensitive server files via path traversal. Upgrade immediately to secure affected systems.

NVD·4h ago·3 min read