Cyber Posture

CVE-2026-28502

High

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted…

more

ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of uploaded ZIP archive contents to prevent extraction of executable PHP files into web-accessible directories, addressing the core unrestricted upload vulnerability.

SI-3 Malicious Code Protection partial match
preventdetect

Deploys malicious code protection at system entry points to scan and block ZIP archives containing executable server-side files before extraction.

CM-11 User-installed Software partial match
prevent

Enforces policies restricting user-installed software like plugins via authenticated upload, preventing administrators from deploying unapproved malicious components.

Security SummaryAI

CVE-2026-28502 is an authenticated remote code execution (RCE) vulnerability in WWBN AVideo, an open source video platform. Affecting versions prior to 24.0, the issue stems from the plugin upload/import functionality, which fails to adequately validate contents of uploaded ZIP archives. This allows a specially crafted archive containing executable server-side files to be extracted directly into a web-accessible plugin directory, enabling arbitrary PHP code execution. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator can exploit this vulnerability remotely with low complexity and no user interaction. By uploading a malicious ZIP archive via the plugin import feature, the attacker achieves arbitrary code execution on the server, potentially leading to full system compromise given the high impacts on confidentiality, integrity, and availability.

The vulnerability has been patched in AVideo version 24.0. Mitigation involves upgrading to this version or later. Key resources include the patching commit at https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db, the release page at https://github.com/WWBN/AVideo/releases/tag/24.0, and the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3.

Details

CWE(s)
CWE-434

Affected Products

wwbn
avideo
≤ 24.0

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables uploading and extracting malicious PHP files to a web-accessible directory via an authenticated plugin import feature in a public-facing web application, directly facilitating web shell deployment (T1100) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References