CloneSite path traversal enables arbitrary file deletion in AVideo

TL;DR — A path traversal in AVideo’s CloneSite plugin lets attackers with clone credentials delete arbitrary server files, potentially taking the platform down or removing security-critical configuration.

What happened

WWBN/AVideo is an open-source video platform used to host and stream video content with a plugin ecosystem for extending features. CVE-2026-33293 describes a path traversal leading to arbitrary file deletion in AVideo’s CloneSite plugin: the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink() without path sanitization.

Per the CVE record, an attacker with valid clone credentials can supply traversal sequences (for example ../../) to delete arbitrary files, including application-critical files such as configuration.php. The issue is fixed in AVideo 26.0.

File-path canonicalization bugs remain a repeat offender in web apps and “admin/ops” plugins: when a plugin exposes filesystem primitives over HTTP, the result is often immediate availability impact (DoS) plus follow-on risk when security-relevant files can be removed.

Who is impacted

• Deployments running WWBN/AVideo versions < 26.0.
• Instances that have the CloneSite plugin endpoint reachable.
• Environments where an attacker can obtain or abuse valid clone credentials (the CVE notes privileges required are Low).

What to do now

• Follow vendor remediation guidance and apply the fixed release referenced by the disclosure:

  "Version 26.0 fixes the issue."

• Inventory where AVideo is deployed and identify any instances running versions < 26.0.
• Treat exposure of CloneSite clone credentials as high risk: rotate any credentials/tokens that could authenticate to CloneSite functionality.
• Until fully remediated, reduce the attack surface by restricting network access to CloneSite-related endpoints and monitoring for suspicious requests targeting plugin/CloneSite/cloneServer.json.php with traversal patterns (for example ../).