GHSA-8FW8-Q79C-FP9M: GHSA-8FW8-Q79C-FP9M: Unauthenticated Local File Inclusion and Remote Code Execution in AVideo API

GHSA-8FW8-Q79C-FP9M: Unauthenticated Local File Inclusion and Remote Code Execution in AVideo API

Vulnerability ID: GHSA-8FW8-Q79C-FP9M
CVSS Score: 8.6
Published: 2026-03-20

The AVideo platform contains an unauthenticated Local File Inclusion (LFI) vulnerability in its API locale handler. The application fails to sanitize user input before concatenating it into a PHP include statement, allowing attackers to execute arbitrary local PHP files and potentially achieve Remote Code Execution.

TL;DR

Unauthenticated path traversal in AVideo's locale API endpoint allows attackers to include arbitrary PHP files, leading to information disclosure and potential Remote Code Execution.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Class: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
• CWE IDs: CWE-22, CWE-98
• Attack Vector: Network (Unauthenticated HTTP Request)
• CVSS v3.1 Score: 8.6 (High)
• Impact: Arbitrary File Read, Potential Remote Code Execution
• Exploit Status: Proof of Concept (PoC) Available
• Patch Status: Unpatched (as of version 26.0)

Affected Systems

• AVideo <= 26.0
• wwbn/avideo (Composer Package)
• AVideo: <= 26.0

Exploit Details

• Vulnerability Disclosure: Public disclosure detailing the LFI path and potential for RCE.

Mitigation Strategies

• Implement strict input validation and allowlisting for the language parameter.
• Use basename() or similar path canonicalization functions to strip directory traversal sequences before file inclusion.
• Deploy WAF rules to block ../ sequences in the language parameter for the /plugin/API/get.json.php endpoint.
• Ensure directories designated for user uploads do not possess PHP execution permissions.

Remediation Steps:

1. Locate the plugin/API/API.php file in the AVideo installation directory.
2. Find the get_api_locale() function (approximately line 5009).
3. Modify the path concatenation line to use basename(): $parameters['language'] = basename(strtolower($parameters['language']));
4. Implement a regex check to ensure only alphanumeric characters and underscores are accepted.
5. Restart the web server to ensure the PHP opcode cache is flushed and changes take effect.

References

• GitHub Advisory: GHSA-8fw8-q79c-fp9m
• AVideo Repository
• OSV Record: GHSA-8fw8-q79c-fp9m
• AVideo Security Advisory

---

Read the full report for GHSA-8FW8-Q79C-FP9M on our website for more details including interactive diagrams and full exploit analysis.