WWBN AVideo is an open source video platform. In versions up to and including 26.0, the "objects/import.json.php" endpoint accepts a user-controlled "fileURI" POST parameter with only a regex check that the value ends in ".mp4". Unlike "objects/listFiles.json.php", which was hardened with a "realpath()" + directory prefix check to restrict paths to the "videos/" directory, "import.json.php" performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read ".txt"/".html"/".htm" files adjacent to any ".mp4" file on the filesystem, and (3) delete ".mp4" and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.