DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33717: CVE-2026-33717: Remote Code Execution in WWBN AVideo via Persistent PHP File Upload

#security #cve #cybersecurity

CVE-2026-33717: Remote Code Execution in WWBN AVideo via Persistent PHP File Upload

Vulnerability ID: CVE-2026-33717
CVSS Score: 8.8
Published: 2026-03-25

WWBN AVideo versions up to and including 26.0 are vulnerable to authenticated Remote Code Execution (RCE) via an unrestricted file upload flaw. The vulnerability involves improper error handling during remote video fetching, allowing an attacker to bypass file cleanup routines and persistently store malicious PHP scripts in a web-accessible directory.

TL;DR

Authenticated attackers can upload and execute arbitrary PHP code by exploiting a logic flaw in the video fetching mechanism of WWBN AVideo <= 26.0.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-434
  • Attack Vector: Network
  • CVSS v3.1: 8.8
  • EPSS: 0.04%
  • Impact: High (RCE)
  • Exploit Status: Weaponized
  • KEV Status: Not Listed

Affected Systems

  • WWBN AVideo <= 26.0
  • PHP Web Server Environments hosting AVideo
  • AVideo: <= 26.0 (Fixed in: 26.1)

Code Analysis

Commit: 6da79b4

Moved resolution validation to the top of the request handling and added extension whitelisting to downloadVideoFromDownloadURL function.

Mitigation Strategies

  • Update WWBN AVideo to version 26.1 or later to implement proper input validation and extension allowlisting.
  • Disable PHP execution in cache directories via web server configuration (e.g., .htaccess or Nginx location blocks).
  • Implement restrictive egress filtering to prevent the AVideo server from fetching content from arbitrary external domains.

Remediation Steps:

  1. Audit existing user accounts with encoder privileges to ensure no unauthorized access exists.
  2. Review the contents of the 'videos/cache/tmpFile/' directory for suspicious files, particularly those with a .php extension.
  3. Apply the vendor-provided patch or pull the latest repository changes containing commit 6da79b43484099a0b660d1544a63c07b633ed3a2.
  4. Verify the update by confirming 'aVideoEncoder.json.php' validates the resolution parameter prior to initiating downloads.

References

Read the full report for CVE-2026-33717 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)