CVE-2026-33513

HighPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0033 55.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files…

under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the path traversal vulnerability by requiring validation, sanitization, or rejection of user input to the locale API parameter, preventing arbitrary PHP file inclusion.

CM-6 Configuration Settings good match

prevent

Enforces secure PHP configuration settings like open_basedir restrictions to limit file inclusion paths to authorized directories under the web root, blocking traversal exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific path traversal flaw in AVideo versions up to 26.0, eliminating the vulnerability when updates become available.

Security SummaryAI

CVE-2026-33513 is a path traversal vulnerability (CWE-22, CWE-98) in WWBN AVideo, an open-source video platform, affecting versions up to and including 26.0. The issue stems from an unauthenticated API endpoint (`APIName=locale`) that concatenates user-supplied input directly into a PHP `include` path without canonicalization or whitelisting. This allows traversal outside intended directories, enabling the inclusion and execution of arbitrary PHP files under the web root.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, no privileges, no user interaction, and unchanged scope (CVSSv3.1 score: 8.6; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). Exploitation results in confirmed file disclosure and execution of existing PHP content, such as `view/about.php`. It can escalate to remote code execution (RCE) if the attacker can place or control a PHP file elsewhere in the traversable tree under the web root.

The GitHub security advisory (GHSA-8fw8-q79c-fp9m) states that, as of the CVE publication on 2026-03-23, no patched versions of AVideo are available. Security practitioners should monitor the repository for updates while applying workarounds like disabling the vulnerable endpoint if feasible.

Details

CWE(s): CWE-22 CWE-98

Affected Products

wwbn

avideo

≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in unauthenticated public-facing web API endpoint enables remote exploitation of the application for file disclosure and PHP execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m
Exploit, Vendor Advisory · security-advisories@github.com