CVE-2026-33483
Published: 23 March 2026
Summary
CVE-2026-33483 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly protects against denial-of-service attacks by implementing controls to limit effects of resource exhaustion from unbounded file writes to /tmp/.
SC-6 safeguards critical resources like disk space from degradation or loss due to excessive consumption by unauthenticated POST requests lacking limits.
AC-14 restricts and authorizes specific actions performable without authentication, preventing unauthenticated arbitrary writes to persistent temp files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of unbounded resource allocation (CWE-770) in the aVideoEncoderChunk.json.php endpoint directly enables disk exhaustion DoS on the target host, mapping to application/system exploitation for endpoint denial of service.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send…
more
arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.
Deeper analysisAI
CVE-2026-33483 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `aVideoEncoderChunk.json.php` endpoint, a standalone PHP script that lacks authentication, framework includes, and resource limits. It processes arbitrary POST data by writing it to persistent temporary files in the `/tmp/` directory without size caps, rate limiting, or cleanup mechanisms, enabling disk space exhaustion and denial of service (DoS) on the affected server. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated remote attacker can exploit this vulnerability by sending crafted POST requests to the endpoint. Since no privileges or user interaction are required, exploitation is straightforward over the network with low complexity. Successful attacks fill the server's `/tmp/` directory with unbounded files, leading to complete disk exhaustion and disrupting all services on the host, including the AVideo platform.
The GitHub security advisory (GHSA-vv7w-qf5c-734w) and commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 detail the patch, which security practitioners should apply to vulnerable versions by updating to the fixed commit or subsequent releases.
Details
- CWE(s)