CVE-2026-39369 WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storag...