[HIGH] AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

PKSA-ht27-8rcs-t939 CVE-2026-33292 GHSA-pw4v-x838-w5pg

Affected package: wwbn/avideo

Affected version: <=25.0

Reported by:
GitHub