CVE-2026-33513

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Assigner: GitHub_M
Reserved: 20.03.2026 Published: 23.03.2026 Updated: 24.03.2026

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS Score: 8.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	WWBN
Product	AVideo
Versions	Version <= 26.0 is affected

Vendor

WWBN

Product

AVideo

Versions

Version <= 26.0 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE

CVE-2026-33513 PUBLISHED

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Metrics

Product Status

References

Problem Types