CVE-2026-40909
Published: 21 April 2026
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then…
more
written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the core path traversal (CWE-22) by requiring validation and sanitization of the unsanitized $_POST['flag'] parameter used in file path construction and $_POST['code'] written via fwrite().
Enforces logical access controls to restrict file write operations within the intended locale/ directory, preventing traversal to arbitrary writable locations for RCE.
Mitigates the CSRF exploitation vector lacking token validation and using SameSite=None cookies by requiring session authenticity protections on the locale/save.php endpoint.
Security SummaryAI
CVE-2026-40909 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open source video platform, affecting versions 29.0 and prior. The issue resides in the `locale/save.php` endpoint, where line 30 directly concatenates the unsanitized `$_POST['flag']` parameter into a file path, and line 40 writes the `$_POST['code']` parameter verbatim to that path using `fwrite()`. This allows attackers to construct paths that escape the intended `locale/` directory and target arbitrary writable locations on the filesystem, enabling the creation of malicious `.php` files for remote code execution (RCE). The vulnerability carries a CVSS v3.1 score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).
An authenticated admin user—or any attacker capable of tricking an admin into a cross-site request forgery (CSRF) interaction—can exploit this flaw. The endpoint lacks CSRF token validation, and session cookies use `SameSite=None`, facilitating CSRF attacks. By supplying a crafted `flag` value (e.g., using `../` sequences) and malicious PHP code in `code`, the attacker can write executable files to server locations like web roots, leading to full RCE on the host.
The fixing commit, 57f89ffbc27d37c9d9dd727212334846e78ac21a, addresses the issue in the WWBN/AVideo repository. GitHub Security Advisory GHSA-6rc6-p838-686f provides further details on the vulnerability and recommends upgrading to a patched version.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing web application (AVideo platform) directly enables exploitation of public-facing applications (T1190) and facilitates deployment of web shells via arbitrary PHP file writes for RCE (T1100).