CVE-2026-28502
published 2026-03-06CVE-2026-28502: WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.67%
47.5th percentile
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | < 24.0 | 24.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ZIP archive uploads to the AVideo plugin upload/import functionality by authenticated administrator accounts, particularly archives containing PHP or other server-side executable files. ↗
- →Detect extraction of uploaded ZIP archives directly into web-accessible plugin directories, especially the creation of new PHP files under the plugin directory path. ↗
- ·The vulnerability only affects AVideo versions prior to 24.0; version 24.0 and later are patched. Ensure the installed version is confirmed before applying detection logic. ↗
- ·Exploitation requires an authenticated administrator session; unauthenticated exploitation is not possible based on current reporting. ↗
- ·No public exploit is currently available, and CISA KEV listing has not been confirmed, limiting immediate exploitation risk but not eliminating it given a 51.2nd percentile EPSS score. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
ghsa·2026-03-02
CVE-2026-28502 [CRITICAL] CWE-434 AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
## Summary
An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.
The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.
## Vulnerability Type
- Remote Code Execution (RCE)
- CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Versions
- All versions up to and including 22.x.
## Fixed Version
- A fix is expected to be released in version 23.
## Root Cause
The syste
OSV
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
osv·2026-03-02
CVE-2026-28502 [CRITICAL] AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
## Summary
An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.
The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.
## Vulnerability Type
- Remote Code Execution (RCE)
- CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Versions
- All versions up to and including 22.x.
## Fixed Version
- A fix is expected to be released in version 23.
## Root Cause
The syste
No detection rules found.
No public exploits indexed.
2026-03-06
Published