Cyber Posture

CVE-2026-33647

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an…

more

allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validating uploaded file metadata including user-supplied filename extensions against an allowlist to prevent saving executable polyglot files like .php in web-accessible directories.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on file upload inputs such as permitted extensions and types to block dangerous files from being accepted and stored.

SI-2 Flaw Remediation good match
prevent

Directly remediates the flaw in ImageGallery::saveFile() by applying the vendor patch that adds proper filename extension validation.

Security SummaryAI

CVE-2026-33647 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `ImageGallery::saveFile()` method, which performs MIME type validation on uploaded files using `finfo` detection but derives the saved filename extension directly from the user-supplied original filename without an allowlist check. This allows attackers to upload polyglot files—such as those with valid JPEG magic bytes followed by PHP code—named with a `.php` extension. The file passes MIME validation but is stored as an executable PHP file in a web-accessible directory, enabling remote code execution (RCE). The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By uploading a crafted polyglot file via the image gallery functionality, the attacker bypasses content validation and achieves RCE on the server, potentially gaining high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged security scope (S:U).

The patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae on the project's GitHub repository. Additional details and mitigation guidance are provided in the GitHub security advisory at GHSA-wxjw-phj6-g75w.

Details

CWE(s)
CWE-434

Affected Products

wwbn
avideo
≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Vulnerability enables exploitation of public-facing web application (T1190) through unrestricted file upload of polyglot PHP files, facilitating deployment of web shells (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References