CVE-2026-41058HIGH 8.1EPSS p36.9%

CVE-2026-41058CVE-2026-41058

Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.47% probability of exploitation · percentile 36.9% · 2026-06-18T12:00:27Z
Published2026-04-21
Last modified2026-04-24

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2
  2. https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284
  3. https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2
  4. https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226
  5. https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33293
CVE
CVE-2026-41064
CVE
CVE-2026-41304
CVE
CVE-2026-29058
CVE
CVE-2026-33478
CVE
CVE-2026-41056
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.