CVE-2026-33513 HIGH

CVE-2026-33513: AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Vendor Wwbn

Product AVideo

Weakness CWE-22 · Path traversal

Published March 23, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.

Key dates

Disclosure timeline

March 23, 2026 CVE published

March 24, 2026 Record updated