CVE-2026-40909
MEDIUM EPSS 46.8%
Published Apr 21, 20262mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
46.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| wwbn | avideo | * | ≤29.0 |
References 2
- github.com https://github.com/WWBN/AVideo/commit/57f89ffbc27d37c9d9dd727212334846e78ac21a
- github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-6rc6-p838-686f
Remediation
- github.com https://github.com/WWBN/AVideo/commit/57f89ffbc27d37c9d9dd727212334846e78ac21a