High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
CVE-2026-33513
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8fw8-q79c-fp9mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33513ghsaADVISORY
- github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.