Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-33513 describes a path traversal vulnerability within the wwbn/avideo component. This flaw allows an attacker to include arbitrary PHP files, potentially leading to sensitive data disclosure and remote code execution. The vulnerability impacts versions of wwbn/avideo up to 26.0. A patch is currently pending from the vendor.
The vulnerability resides in the plugin/API/get.json.php endpoint, where user-supplied input is concatenated into an include path without proper sanitization or canonicalization. This allows an attacker to traverse the file system and include arbitrary PHP files under the web root. Successful exploitation can lead to the disclosure of sensitive configuration files, source code, and other critical data. While initial exploitation typically results in file disclosure, an attacker who can place or control a PHP file within the accessible directory tree can escalate the attack to achieve remote code execution, effectively compromising the entire application server. This presents a significant risk, particularly in environments where wwbn/avideo is used to process user-uploaded content or handle sensitive data.
This vulnerability was publicly disclosed on 2026-03-20. Currently, there are no known active campaigns targeting this specific CVE. Public proof-of-concept code may emerge, increasing the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The potential for remote code execution makes this a high-priority vulnerability to address.
Organizations using wwbn/avideo in production environments, particularly those with publicly accessible endpoints, are at risk. Shared hosting environments where multiple users share the same server and file system are especially vulnerable, as an attacker could potentially exploit this vulnerability to gain access to other users' data.
• wordpress / composer / npm:
grep -r 'include($_GET['locale']);' /var/www/avideo/• generic web:
curl -I 'http://your-avideo-site.com/plugin/API/get.json.php?locale=../../../../etc/passwd' | grep 'HTTP/1.1' # Check for 403 or 200disclosure
Exploit-Status
EPSS
0.17% (39% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the lack of a fixed version, immediate mitigation strategies are crucial. Implement strict input validation on the plugin/API/get.json.php endpoint to prevent path traversal attempts. Configure a Web Application Firewall (WAF) to block requests containing suspicious path patterns, such as ../ or absolute paths. Consider temporarily disabling the bypassSameDomainCheck functionality if it's not essential. Regularly scan the web root for unauthorized PHP files. After a patch is released, upgrade to the fixed version immediately and verify the fix by attempting to access a non-existent file via the vulnerable endpoint; it should return a 404 error instead of including a PHP file.
Actualizar AVideo a una versión parcheada que solucione la vulnerabilidad de inclusión de archivos locales. Actualmente no hay versiones parcheadas disponibles, por lo que se recomienda monitorear las actualizaciones de seguridad del proveedor y aplicar las mitigaciones recomendadas, como restringir el acceso a la API vulnerable o implementar validación de entrada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33513 is a path traversal vulnerability in wwbn/avideo that allows attackers to include arbitrary PHP files, potentially leading to code execution.
You are affected if you are using wwbn/avideo versions 26.0 and prior. Assess your environment immediately.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules and restrict access to the vulnerable endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate action.
Refer to the wwbn/avideo security advisories on their official website for the latest information and patch releases.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.