High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
CVE-2026-33483
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vv7w-qf5c-734wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33483ghsaADVISORY
- github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.