CVE-2026-33513

HIGH EPSS 50.0%

Published Mar 23, 20263mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Mar 23, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

50.0% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-98

Affected Products 1

Vendor	Product	Version	Range
wwbn	avideo	*	≤26.0

References 1

github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.