cbcvebase.
CVE-2026-28502
published 2026-03-06

CVE-2026-28502: WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.67%
47.5th percentile
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
wwbnavideo< 24.024.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for ZIP archive uploads to the AVideo plugin upload/import functionality by authenticated administrator accounts, particularly archives containing PHP or other server-side executable files.
  • Detect extraction of uploaded ZIP archives directly into web-accessible plugin directories, especially the creation of new PHP files under the plugin directory path.
  • ·The vulnerability only affects AVideo versions prior to 24.0; version 24.0 and later are patched. Ensure the installed version is confirmed before applying detection logic.
  • ·Exploitation requires an authenticated administrator session; unauthenticated exploitation is not possible based on current reporting.
  • ·No public exploit is currently available, and CISA KEV listing has not been confirmed, limiting immediate exploitation risk but not eliminating it given a 51.2nd percentile EPSS score.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.