CVE-2026-40909 - Vulnerability Details

- WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.

Published: 2026-04-21

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

WWBN AVideo versions 29.0 and earlier contain a path‑traversal flaw in the locale/save.php endpoint. The application concatenates the POST parameter flag directly into a file path and writes the POST parameter code verbatim. This lets an attacker who can act as an administrator or who can CSRF an admin session construct a path that exits the locale directory and create arbitrary .php files in any web‑accessible, writable directory, effectively executing code on the host.

Affected Systems

The vulnerable component is present in the WWBN AVideo open‑source video platform. Versions 29.0 and all earlier releases are affected. Users running those releases should verify the 57f89f… patch or update to the latest release (>=30.0).

Risk and Exploitability

The flaw receives a CVSS score of 8.7, indicating high severity. EPSS data was not provided, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to possess administrative privileges or the ability to CSRF an admin session, but no additional preconditions are documented. Once exploited, an attacker gains remote code execution over the affected server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the patch referenced in commit 57f89fbc27d37c9d9dd727212334846e78ac21a or upgrade to AVideo version 30.0 or later.
If an update is not immediately possible, restrict write permissions on web‑accessible directories and ensure the locale/ directory is not writable by the webserver process.
Implement proper input validation and enforce a CSRF token on the locale save endpoint to prevent unauthorized file writes.

Generated by OpenCVE AI on April 22, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00101.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/WWBN/AVideo/commit/57f89ffbc27d37c9d9dd727212334846e78ac21a
https://github.com/WWBN/AVideo/security/advisories/GHSA-6rc6-p838-686f

History

Wed, 22 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
Title		WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
Weaknesses		CWE-22
References		https://github.com/WWBN/AVideo/commit/57f89ffbc27d37c9d9dd727212334846e78ac21a https://github.com/WWBN/AVideo/security/advisories/GHSA-6rc6-p838-686f
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T19:54:07.257Z

Updated: 2026-04-21T20:36:00.797Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40909

Vulnrichment

Updated: 2026-04-21T20:16:03.241Z

NVD

Status : Awaiting Analysis

Published: 2026-04-21T20:17:03.347

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40909

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object