CVE-2026-33354 | WWBN AVideo up to 26.0 Endpoint aVideoEncoder.json.php isValidURLOrPath chunkFile file inclusion

VDB-352527 · CVE-2026-33354 · GCVE-0-2026-33354 WWBN AVIDEO UP TO 26.0 ENDPOINT AVIDEOENCODER.JSON.PHP ISVALIDURLORPATH CHUNKFILE FILE INCLUSION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.8 $0-$5k 2.88+ Summaryinfo A vulnerability was found in WWBN AVideo up to 26.0. It has been rated as critical. Affected is the function isValidURLOrPath of the file /objects/aVideoEncoder.json.php of the component Endpoint. Performing a manipulation of the argument chunkFile results in file inclusion. This vulnerability is reported as CVE-2026-33354. The attack is possible to be carried out remotely. No exploit exists. It is recommended to apply a patch to fix this issue. Detailsinfo A vulnerability was found in WWBN AVideo up to 26.0. It has been classified as critical. This affects the function isValidURLOrPath of the file /objects/aVideoEncoder.json.php of the component Endpoint. The manipulation of the argument chunkFile with an unknown input leads to a file inclusion vulnerability. CWE is classifying the issue as CWE-73. The product allows user input to control or influence paths or file names that are used in filesystem operations. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is: WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-33354 since 03/18/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit. By approaching the search of inurl:objects/aVideoEncoder.json.php it is possible to find vulnerable targets with Google Hacking. Applying the patch 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f is able to eliminate this problem. Productinfo Vendor WWBN Name AVideo Version 26.0 License open-source Website Product: https://github.com/WWBN/AVideo/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.9 VulDB Meta Temp Score: 6.8 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.6 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: File inclusion CWE: CWE-73 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f Timelineinfo 03/18/2026 CVE reserved 03/23/2026 +5 days Advisory disclosed 03/23/2026 +0 days VulDB entry created 03/23/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33354 (🔒) GCVE (CVE): GCVE-0-2026-33354 GCVE (VulDB): GCVE-100-352527 Entryinfo Created: 03/23/2026 15:39 Changes: 03/23/2026 15:39 (66) Complete: 🔍 Cache ID: 99:04A:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸