CVE-2026-45731— WWBN AVideo: Authenticated Arbitrary File Read in view/update.php

AI Predicted 7.5 Difficulty: Easy Updated May 29, 2026

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

Vendor	Product	Version Range	Status
WWBN	AVideo	`<= 29.0`	affected

Updated May 29, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

WWBN AVideo: Authenticated Arbitrary File Read in view/update.php

Source: NVD (National Vulnerability Database)

Vulnerability Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

对路径名的限制不恰当(路径遍历)

Source: NVD (National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
WWBN	AVideo	<= 29.0	-

II. Public POCs for CVE-2026-45731

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-45731

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-45731 (1)

🔗 Authenticated Arbitrary File Read in view/update.php · Advisory · WWBN/AVideo · GitHub Read full article x_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-45731

Same Patch Batch · WWBN · 2026-05-29 · 9 CVEs total

CVE-2026-45578	8.8 HIGH	WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
CVE-2026-45619	6.5 MEDIUM	AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$re
CVE-2026-45610	5.7 MEDIUM	WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection,
CVE-2026-45580	5.4 MEDIUM	WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribu
CVE-2026-47694	5.4 MEDIUM	WWBN AVideo: Stored XSS via unescaped Gallery category description
CVE-2026-45620	5.3 MEDIUM	AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated
CVE-2026-47696		WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
CVE-2026-46337		WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404

IV. Related Vulnerabilities

Same product: AVideo

Same vendor: WWBN

Same weakness: CWE-22

V. Comments for CVE-2026-45731

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-45731— WWBN AVideo: Authenticated Arbitrary File Read in view/update.php

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-45731

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-45731

III. Intelligence Information for CVE-2026-45731

Vendor Advisories for CVE-2026-45731 (1)

Same Patch Batch · WWBN · 2026-05-29 · 9 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-45731

Leave a comment