Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

An insecure API endpoint named locale accepts user supplied data and directly concatenates it into an include statement with no path validation or whitelist. Because directory traversal is permitted, an attacker can force the application to include any file under the web root. When the included file is a PHP script, the interpreter executes it, allowing the attacker to read server files and, if they can place a PHP file elsewhere in the file system, to run arbitrary code on the host. The vulnerability stems from improper input handling, exemplified by the CWE-22 and CWE-98 weaknesses.

Affected Systems

The vulnerability affects the WWBN AVideo video platform, specifically all versions up to and including 26.0. No patched releases have been published at the time of this advisory, leaving installations of those versions vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity impact, affecting confidentiality, integrity, and availability across the full application. The EPSS score is below 1 percent, suggesting the overall likelihood of exploitation in the broader ecosystem is low, and the vulnerability is not present in CISA’s Known Exploited Vulnerabilities catalog. Attackers gain access by sending an unauthenticated request to the locale endpoint; for full remote code execution they additionally need the ability to create or control a PHP file that the application can include. If these conditions are met, the attacker can compromise the entire hosting environment.

Generated by OpenCVE AI on March 25, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any newer release of WWBN AVideo that removes the insecure include logic.
  • If no patch is available, block external access to the APIName=locale endpoint using firewall rules or web‑application configuration.
  • Configure the web server to require authentication for the locale endpoint, or reject unauthenticated requests.
  • Modify the application code to sanitize the locale parameter, removing directory separators and enforcing an explicit whitelist of allowed values.

Generated by OpenCVE AI on March 25, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fw8-q79c-fp9m AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Title AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Weaknesses CWE-22
CWE-98
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:27:53.769Z

Reserved: 2026-03-20T16:59:08.891Z

Link: CVE-2026-33513

cve-icon Vulnrichment

Updated: 2026-03-24T14:27:48.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:40.593

Modified: 2026-03-25T17:52:58.517

Link: CVE-2026-33513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:54Z

Weaknesses