CVE-2026-33513
published 2026-03-23CVE-2026-33513: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.74%
50.0th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
ghsa·2026-03-20
CVE-2026-33513 [HIGH] CWE-22 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
### Summary
An unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.
### Details
- Entry point: `plugin/API/get.json.php` sets `$global['bypassSameDomainCheck']=1` and merges GET/POST/JSON into `$parameters` without authentication or API secret.
- Handler: `plugin/API/API.php`, method `get_api_locale()` (lines ~50
OSV
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
osv·2026-03-20
CVE-2026-33513 [HIGH] AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
### Summary
An unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.
### Details
- Entry point: `plugin/API/get.json.php` sets `$global['bypassSameDomainCheck']=1` and merges GET/POST/JSON into `$parameters` without authentication or API secret.
- Handler: `plugin/API/API.php`, method `get_api_locale()` (lines ~50
No detection rules found.
No public exploits indexed.
2026-03-23
Published