CVE-2026-33354
Published: 23 March 2026
Summary
CVE-2026-33354 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Wwbn Avideo. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the requester-controlled `chunkFile` parameter to ensure only trusted server-generated chunk paths are accepted, preventing arbitrary local file reads.
Restricts information inputs like the `chunkFile` parameter to authorized paths under trusted directories, blocking exploitation via broad server paths such as `/var/www/` or `videos`.
Enforces access control policies at the application level to mediate and restrict authenticated users from copying unauthorized local files to public video storage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable path control flaw in an internet-facing web endpoint (aVideoEncoder.json.php) that directly enables arbitrary local file reads on the server filesystem, mapping to initial access via public application exploitation and subsequent data collection from the local system.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts…
more
arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue.
Deeper analysisAI
CVE-2026-33354 is a vulnerability in WWBN AVideo, an open source video platform, affecting versions up to and including 26.0. The issue lies in the `POST /objects/aVideoEncoder.json.php` endpoint, which processes a requester-controlled `chunkFile` parameter intended for staged upload chunks. Rather than restricting paths to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass the `isValidURLOrPath()` helper function. This function permits files under broad server directories such as `/var/www/`, the application root, cache, tmp, and `videos`, while only rejecting `.php` files.
An authenticated uploader editing their own video can exploit this flaw to achieve arbitrary local file reads. By specifying a target path in the `chunkFile` parameter, the endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it becomes downloadable over HTTP. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and maps to CWE-73.
Mitigation is addressed in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f on the AVideo GitHub repository, which patches the issue. Additional details are available in the GitHub security advisory GHSA-4jw9-5hrc-m4j6.
Details
- CWE(s)