CVE-2026-33647
Published: 23 March 2026
Summary
CVE-2026-33647 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validating uploaded file metadata including user-supplied filename extensions against an allowlist to prevent saving executable polyglot files like .php in web-accessible directories.
Enforces restrictions on file upload inputs such as permitted extensions and types to block dangerous files from being accepted and stored.
Directly remediates the flaw in ImageGallery::saveFile() by applying the vendor patch that adds proper filename extension validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing web application (T1190) through unrestricted file upload of polyglot PHP files, facilitating deployment of web shells (T1100) for remote code execution.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an…
more
allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch.
Deeper analysisAI
CVE-2026-33647 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `ImageGallery::saveFile()` method, which performs MIME type validation on uploaded files using `finfo` detection but derives the saved filename extension directly from the user-supplied original filename without an allowlist check. This allows attackers to upload polyglot files—such as those with valid JPEG magic bytes followed by PHP code—named with a `.php` extension. The file passes MIME validation but is stored as an executable PHP file in a web-accessible directory, enabling remote code execution (RCE). The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By uploading a crafted polyglot file via the image gallery functionality, the attacker bypasses content validation and achieves RCE on the server, potentially gaining high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged security scope (S:U).
The patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae on the project's GitHub repository. Additional details and mitigation guidance are provided in the GitHub security advisory at GHSA-wxjw-phj6-g75w.
Details
- CWE(s)