CVE-2026-33513
Published: 23 March 2026
Summary
CVE-2026-33513 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation, sanitization, or rejection of user input to the locale API parameter, preventing arbitrary PHP file inclusion.
Enforces secure PHP configuration settings like open_basedir restrictions to limit file inclusion paths to authorized directories under the web root, blocking traversal exploitation.
Requires timely identification, reporting, and patching of the specific path traversal flaw in AVideo versions up to 26.0, eliminating the vulnerability when updates become available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in unauthenticated public-facing web API endpoint enables remote exploitation of the application for file disclosure and PHP execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files…
more
under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Deeper analysisAI
CVE-2026-33513 is a path traversal vulnerability (CWE-22, CWE-98) in WWBN AVideo, an open-source video platform, affecting versions up to and including 26.0. The issue stems from an unauthenticated API endpoint (`APIName=locale`) that concatenates user-supplied input directly into a PHP `include` path without canonicalization or whitelisting. This allows traversal outside intended directories, enabling the inclusion and execution of arbitrary PHP files under the web root.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, no privileges, no user interaction, and unchanged scope (CVSSv3.1 score: 8.6; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). Exploitation results in confirmed file disclosure and execution of existing PHP content, such as `view/about.php`. It can escalate to remote code execution (RCE) if the attacker can place or control a PHP file elsewhere in the traversable tree under the web root.
The GitHub security advisory (GHSA-8fw8-q79c-fp9m) states that, as of the CVE publication on 2026-03-23, no patched versions of AVideo are available. Security practitioners should monitor the repository for updates while applying workarounds like disabling the vulnerable endpoint if feasible.
Details
- CWE(s)