Cyber Resilience

CVE-2026-28502

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0067 47.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28502 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wwbn Avideo. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 47.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-11 (User-installed Software).

Deeper analysis

CVE-2026-28502 is an authenticated remote code execution (RCE) vulnerability in WWBN AVideo, an open source video platform. Affecting versions prior to 24.0, the issue stems from the plugin upload/import functionality, which fails to adequately validate contents of uploaded ZIP archives. This allows a specially crafted archive containing executable server-side files to be extracted directly into a web-accessible plugin directory, enabling arbitrary PHP code execution. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator can exploit this vulnerability remotely with low complexity and no user interaction. By uploading a malicious ZIP archive via the plugin import feature, the attacker achieves arbitrary code execution on the server, potentially leading to full system compromise given the high impacts on confidentiality, integrity, and availability.

The vulnerability has been patched in AVideo version 24.0. Mitigation involves upgrading to this version or later. Key resources include the patching commit at https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db, the release page at https://github.com/WWBN/AVideo/releases/tag/24.0, and the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted…

more

ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables uploading and extracting malicious PHP files to a web-accessible directory via an authenticated plugin import feature in a public-facing web application, directly facilitating web shell deployment (T1100) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-33717Same product: Wwbn Avideo
CVE-2025-34436Same product: Wwbn Avideo
CVE-2026-40909Same product: Wwbn Avideo
CVE-2025-34434Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded ZIP archive contents to prevent extraction of executable PHP files into web-accessible directories, addressing the core unrestricted upload vulnerability.

preventdetect

Deploys malicious code protection at system entry points to scan and block ZIP archives containing executable server-side files before extraction.

prevent

Enforces policies restricting user-installed software like plugins via authenticated upload, preventing administrators from deploying unapproved malicious components.

References