Plateforme
php
Composant
wwbn/avideo
Corrigé dans
26.0.1
26.0.1
CVE-2026-33507 describes a Remote Code Execution (RCE) vulnerability within the wwbn/avideo plugin import functionality. This flaw allows an unauthenticated attacker to upload and execute malicious PHP code on a server, effectively gaining control. The vulnerability impacts versions of wwbn/avideo up to and including 26.0. A fix is available; upgrading to a patched version is the recommended remediation.
The impact of this vulnerability is severe. An attacker can leverage the missing CSRF protection to silently upload a malicious plugin containing a PHP webshell. Because the application explicitly sets session.cookie_samesite = 'None' for HTTPS connections, this attack can be performed without requiring prior authentication. Successful exploitation grants the attacker complete control over the server, enabling them to execute arbitrary commands, access sensitive data, modify files, and potentially pivot to other systems within the network. This represents a significant security risk, potentially leading to data breaches, system compromise, and denial of service.
CVE-2026-33507 was published on 2026-03-20. The vulnerability's exploitation context is currently unclear, and no public Proof-of-Concept (POC) code has been identified. Its severity is rated HIGH (CVSS 8.8), indicating a significant potential for exploitation. The use of session.cookie_samesite = 'None' suggests a potential for cross-site scripting (XSS) exploitation if combined with other vulnerabilities, although the primary attack vector described is CSRF-based RCE.
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to a patched version of wwbn/avideo that addresses this vulnerability. If immediate upgrading is not possible, consider implementing temporary workarounds. Implement strict input validation on all uploaded files, specifically scrutinizing ZIP archives for executable PHP code. Consider using a Web Application Firewall (WAF) to block requests containing suspicious file extensions or patterns. Review and strengthen CSRF protection mechanisms across the application. Verify that session.cookie_samesite is not set to 'None' unless absolutely necessary and properly secured. After upgrading, confirm the fix by attempting to upload a benign ZIP file and verifying that it is processed without errors and without executing any code.
Actualice AVideo a una versión posterior a la 26.0. El commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contiene la solución para la vulnerabilidad CSRF en el endpoint de importación de plugins.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33507 is a Remote Code Execution vulnerability in the wwbn/avideo plugin import functionality, allowing unauthenticated attackers to upload and execute malicious PHP code.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. Assess your environment and upgrade as soon as possible.
Upgrade to a patched version of wwbn/avideo that addresses the vulnerability. If immediate upgrading is not possible, implement temporary workarounds like input validation and WAF rules.
Currently, there is no public evidence of active exploitation, but the HIGH severity and ease of exploitation warrant immediate attention and remediation.
Refer to the wwbn/avideo project's official website or security advisory page for the latest information and updates regarding CVE-2026-33507.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.