Cyber Resilience

CVE-2026-33483

HighPublic PoCDDoS

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0061 70.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33483 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-33483 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `aVideoEncoderChunk.json.php` endpoint, a standalone PHP script that lacks authentication, framework includes, and resource limits. It processes arbitrary POST data by writing it to persistent temporary files in the `/tmp/` directory without size caps, rate limiting, or cleanup mechanisms, enabling disk space exhaustion and denial of service (DoS) on the affected server. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated remote attacker can exploit this vulnerability by sending crafted POST requests to the endpoint. Since no privileges or user interaction are required, exploitation is straightforward over the network with low complexity. Successful attacks fill the server's `/tmp/` directory with unbounded files, leading to complete disk exhaustion and disrupting all services on the host, including the AVideo platform.

The GitHub security advisory (GHSA-vv7w-qf5c-734w) and commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 detail the patch, which security practitioners should apply to vulnerable versions by updating to the fixed commit or subsequent releases.

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send…

more

arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote exploitation of unbounded resource allocation (CWE-770) in the aVideoEncoderChunk.json.php endpoint directly enables disk exhaustion DoS on the target host, mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34731Same product: Wwbn Avideo
CVE-2026-33502Same product: Wwbn Avideo
CVE-2025-36548Same product: Wwbn Avideo
CVE-2026-33488Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-34374Same product: Wwbn Avideo
CVE-2026-33492Same product: Wwbn Avideo
CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-34375Same product: Wwbn Avideo
CVE-2026-27732Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly protects against denial-of-service attacks by implementing controls to limit effects of resource exhaustion from unbounded file writes to /tmp/.

prevent

SC-6 safeguards critical resources like disk space from degradation or loss due to excessive consumption by unauthenticated POST requests lacking limits.

prevent

AC-14 restricts and authorizes specific actions performable without authentication, preventing unauthenticated arbitrary writes to persistent temp files.

References