プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33513 describes a path traversal vulnerability within the wwbn/avideo component. This flaw allows an attacker to include arbitrary PHP files, potentially leading to sensitive data disclosure and remote code execution. The vulnerability impacts versions of wwbn/avideo up to and including 26.0. A patch is expected to address this issue.
The vulnerability lies in the plugin/API/get.json.php endpoint, where user-supplied input is concatenated into an include path without proper sanitization or canonicalization. This allows an attacker to traverse the file system and include arbitrary PHP files under the web root. Successful exploitation can lead to the disclosure of sensitive configuration files, source code, and other critical data. Furthermore, if an attacker can upload or control a PHP file within the accessible directory structure, they can achieve remote code execution, effectively compromising the entire application. This mirrors the impact of other path traversal vulnerabilities where file inclusion is leveraged for malicious purposes.
This vulnerability was publicly disclosed on 2026-03-20. The availability of a public CVE suggests a higher likelihood of exploitation. The potential for remote code execution elevates the risk significantly. Currently, there are no confirmed reports of active exploitation, but the ease of exploitation and potential impact warrant immediate attention. No KEV listing is present as of this writing.
Organizations using wwbn/avideo in production environments, particularly those with publicly accessible endpoints, are at risk. Shared hosting environments where multiple users share the same server and file system are especially vulnerable, as an attacker could potentially exploit this vulnerability to gain access to other users' data.
• wordpress / composer / npm:
grep -r 'include($_GET['locale']);' /var/www/avideo/• generic web:
curl -I 'http://your-avideo-site.com/plugin/API/get.json.php?locale=../../../../etc/passwd' | grep 'HTTP/1.1' # Check for 403 or 200disclosure
エクスプロイト状況
EPSS
0.17% (39% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to a patched version of wwbn/avideo that addresses this vulnerability. Until an upgrade is possible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path traversal patterns, such as sequences of ../. Carefully review and restrict access to the plugin/API/get.json.php endpoint. Monitor access logs for unusual file inclusion attempts. Implement strict input validation and sanitization on all user-supplied data to prevent path traversal attacks. After upgrade, confirm by attempting to access the vulnerable endpoint with a crafted path traversal payload and verifying that access is denied.
Actualizar AVideo a una versión parcheada que solucione la vulnerabilidad de inclusión de archivos locales. Actualmente no hay versiones parcheadas disponibles, por lo que se recomienda monitorear las actualizaciones de seguridad del proveedor y aplicar las mitigaciones recomendadas, como restringir el acceso a la API vulnerable o implementar validación de entrada.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33513 is a path traversal vulnerability in wwbn/avideo that allows attackers to include arbitrary PHP files, potentially leading to code execution.
You are affected if you are using wwbn/avideo versions 26.0 and prior. Assess your environment immediately.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules and restrict access to the vulnerable endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate action.
Refer to the wwbn/avideo security advisories on their official website for the latest information and patch releases.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。