CVE-2026-33513: Unauthenticated Local File Inclusion in WWBN AVideo API Plugin
Vulnerability ID: CVE-2026-33513
CVSS Score: 8.6
Published: 2026-03-20
CVE-2026-33513 is a high-severity vulnerability within the API plugin of WWBN AVideo (formerly YouPHPTube). The flaw resides in the locale API name handling, exposing an unauthenticated endpoint to directory traversal. Attackers can leverage this vulnerability to perform arbitrary PHP file inclusion, leading to information disclosure and potential Remote Code Execution (RCE) on the underlying server.
TL;DR
Unauthenticated Local File Inclusion (LFI) vulnerability in WWBN AVideo versions up to 26.0 via the 'language' parameter in the API plugin, potentially enabling Remote Code Execution.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS v3.1 Score: 8.6 (High)
- Impact: Information Disclosure / RCE
- Exploit Status: Proof of Concept
- Authentication: None Required
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo <= 26.0
-
AVideo: <= 26.0 (Fixed in:
None)
Mitigation Strategies
- Disable the API Plugin via the AVideo plugin manager
- Implement WAF rules to block path traversal sequences directed at get.json.php
- Enforce strict file system permissions to prevent web server writes to include paths
- Modify source code to implement realpath() validation or transition to JSON localization
Remediation Steps:
- Log in to the AVideo administrative interface and navigate to the plugin manager.
- Locate the API plugin and set its status to Disabled.
- If the plugin is required, configure your reverse proxy or WAF to block requests matching the pattern '../' on the /plugin/API/get.json.php endpoint.
- Apply the manual source code patch to plugin/API/API.php to validate the $requestedFile against the expected base directory using realpath() and strpos().
References
- WWBN AVideo GitHub Security Advisory GHSA-8fw8-q79c-fp9m
- CVE-2026-33513 Record
- Wiz Vulnerability Database - CVE-2026-33513
Read the full report for CVE-2026-33513 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)