{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33717", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.748Z", "datePublished": "2026-03-23T18:48:24.934Z", "dateUpdated": "2026-03-24T16:10:19.803Z"}, "containers": {"cna": {"title": "AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952"}, {"name": "https://github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:48:24.934Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch."}], "source": {"advisory": "GHSA-8wf4-c4x3-h952", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T16:08:37.149152Z", "id": "CVE-2026-33717", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:10:19.803Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33717", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T16:08:37.149152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:10:07.986Z"}}], "cna": {"title": "AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort", "source": {"advisory": "GHSA-8wf4-c4x3-h952", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2", "name": "https://github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:48:24.934Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33717", "state": "PUBLISHED", "dateUpdated": "2026-03-24T16:10:19.803Z", "dateReserved": "2026-03-23T17:06:05.748Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:48:24.934Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n `downloadVideoFromDownloadURL()` en `objects/aVideoEncoder.json.php` guarda contenido remoto en un directorio temporal accesible por web usando el nombre de archivo y la extensi\u00f3n de la URL original (incluyendo '.php'). Al proporcionar un par\u00e1metro `resolution` inv\u00e1lido, un atacante desencadena un `die()` temprano a trav\u00e9s de `forbiddenPage()` antes de que el archivo temporal pueda ser movido o limpiado, dejando un archivo PHP ejecutable persistentemente accesible bajo la ra\u00edz web en `videos/cache/tmpFile/`. El commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contiene un parche."}], "id": "CVE-2026-33717", "lastModified": "2026-03-25T14:57:45.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:42.497", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T17:05:27.788939+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest AVideo release that contains the patch from commit 6da79b43484099a0b660d1544a63c07b633ed3a2.", "Delete any .php files that may remain in the videos/cache/tmpFile/ directory after the upgrade.", "Configure the temporary cache directory to prohibit script execution through server or .htaccess settings.", "Continuously monitor application logs for anomalous downloadVideoFromDownloadURL requests or repeated failures that might indicate exploitation attempts."], "summary": {"action": "Apply Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo product in all versions up to and including 26.0. Only the encoder module that processes external video URLs is impacted and no other vendors or product lines are reported to be impacted.", "description_and_impact": "AVideo, an open source video platform, contains a flaw in its downloadVideoFromDownloadURL function where remote content is saved to a publicly accessible temporary directory using the original filename and extension, which may be .php. When an attacker provides an invalid resolution parameter, the function terminates early through forbiddenPage(), preventing the temporary file from being moved or deleted. This leaves the PHP file persistently accessible under videos/cache/tmpFile/, allowing the attacker to execute arbitrary PHP code on the server. The weakness is an unrestricted upload of a dangerous file type (CWE\u2011434).", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability that can lead to complete compromise of affected systems. The EPSS score of less than 1% suggests low current exploit activity, and the vulnerability is not listed in the CISA KEV catalog. An attacker can likely exploit this flaw by sending a crafted HTTP request to downloadVideoFromDownloadURL with a malicious URL that ends with a .php extension and an invalid resolution value. Based on the description it is inferred that the endpoint may be accessible without authentication, meaning that an unauthenticated attacker can trigger the vulnerability. Successful exploitation allows an attacker to upload arbitrary PHP payloads that the web server will execute with the server\u2019s permissions."}}}}, "created": "2026-03-24T10:33:11.345322+00:00", "updated": "2026-03-25T20:37:02.705732+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}