CVE-2026-33647 | WWBN AVideo up to 26.0 Filename Extension ImageGallery::saveFile unrestricted upload

VDB-352553 · CVE-2026-33647 · GCVE-0-2026-33647 WWBN AVIDEO UP TO 26.0 FILENAME EXTENSION IMAGEGALLERY::SAVEFILE UNRESTRICTED UPLOAD HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.4 $0-$5k 2.11+ Summaryinfo A vulnerability was found in WWBN AVideo up to 26.0. It has been classified as critical. This vulnerability affects the function ImageGallery::saveFile of the component Filename Extension Handler. The manipulation leads to unrestricted upload. This vulnerability is listed as CVE-2026-33647. The attack may be initiated remotely. There is no available exploit. It is suggested to install a patch to address this issue. Detailsinfo A vulnerability was found in WWBN AVideo up to 26.0 and classified as critical. This issue affects the function ImageGallery::saveFile of the component Filename Extension Handler. The manipulation with an unknown input leads to a unrestricted upload vulnerability. Using CWE to declare the problem leads to CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Impacted is confidentiality, integrity, and availability. The summary by CVE is: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-33647 since 03/23/2026. The exploitation is known to be easy. The attack may be initiated remotely. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1608.002 for this issue. Applying the patch 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae is able to eliminate this problem. Productinfo Vendor WWBN Name AVideo Version 26.0 License open-source Website Product: https://github.com/WWBN/AVideo/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 7.6 VulDB Meta Temp Score: 7.4 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 8.8 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Unrestricted upload CWE: CWE-434 / CWE-284 / CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae Timelineinfo 03/23/2026 Advisory disclosed 03/23/2026 +0 days CVE reserved 03/23/2026 +0 days VulDB entry created 03/23/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33647 (🔒) GCVE (CVE): GCVE-0-2026-33647 GCVE (VulDB): GCVE-100-352553 Entryinfo Created: 03/23/2026 20:05 Changes: 03/23/2026 20:05 (65) Complete: 🔍 Cache ID: 99:6B8:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸