Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

WWBN AVideo, an open‑source video platform, was found to allow an authenticated administrator to execute arbitrary PHP code on the host. The flaw arose when the plugin import feature accepted a ZIP archive, extracted its contents directly into a publicly accessible plugin directory without validating file names or types. An attacker who can log in as an administrator could craft a ZIP containing PHP files, upload it, and then trigger the execution of those files, giving full control over the server.

Affected Systems

The vulnerability affects all installations of WWBN AVideo running a version older than 24.0. Administrators with access to the plugin import functionality are the only ones able to exploit this flaw; the affected code resides in the community‑sourced "plugin" upload path. Version 24.0 and later contain the necessary fix for the issue.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical, and although the EPSS probability is listed as less than 1 percent, the risk is still high because only an authenticated administrator is required. The vulnerability is not currently cataloged in the CISA KEV list, but the potential impact of code execution on a public platform warrants immediate attention. An attacker who successfully uploads the malicious ZIP can run arbitrary commands on the file system, read or delete data, and potentially pivot to other services.

Generated by OpenCVE AI on April 16, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch contained in AVideo release 24.0 or later to fix the ZIP extraction validation flaw.
  • If patching is delayed, restrict the plugin upload/import feature to a controlled environment or disable it for non‑administrators to limit exposure.
  • Ensure the web server is configured to treat the plugin directory as non‑executable, preventing PHP files placed there from running even if the upload function is still available.

Generated by OpenCVE AI on April 16, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8jw-8w5p-23g3 AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
Title WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:10:00.643Z

Reserved: 2026-02-27T20:57:47.709Z

Link: CVE-2026-28502

cve-icon Vulnrichment

Updated: 2026-03-06T16:01:35.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:08.370

Modified: 2026-03-16T15:03:31.817

Link: CVE-2026-28502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses