Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch.
Published: 2026-03-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs in the ImageGallery::saveFile() method of the AVideo platform. File uploads are validated with MIME type detection, but the saved filename extension is taken directly from the original filename without an allowlist. An attacker can upload a polyglot file that contains valid JPEG bytes followed by PHP code and give it a .php extension. The MIME check passes, but the file is written to a web‑accessible directory as an executable .php file, allowing the attacker to run arbitrary code on the server. This represents a remote code execution flaw (CWE‑434) that compromises confidentiality, integrity, and availability of the host system.

Affected Systems

The flaw affects the open‑source AVideo video platform from WWBN in all releases up to and including version 26.0. No higher versions have been confirmed to contain the vulnerability.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw lies in a public file‑upload endpoint that accepts content from unauthenticated users, an attacker could potentially exploit it at any time by crafting the described polyglot upload. The risk is mitigated with the availability of a patch.

Generated by OpenCVE AI on March 25, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, which fixes the MIME/extension mismatch in ImageGallery.
  • Upgrade AVideo to a version newer than 26.0 if possible.
  • Restrict the upload directory from executing PHP by disabling PHP execution in that folder.
  • As a temporary measure, enforce an allowlist of safe file extensions and validate the MIME type of uploads against the extension.

Generated by OpenCVE AI on March 25, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxjw-phj6-g75w AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch.
Title AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:36:15.421Z

Reserved: 2026-03-23T15:23:42.217Z

Link: CVE-2026-33647

cve-icon Vulnrichment

Updated: 2026-03-24T17:36:08.072Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:40.750

Modified: 2026-03-25T17:54:10.537

Link: CVE-2026-33647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:17Z

Weaknesses