CVE-2026-33717
Published: 23 March 2026
Summary
CVE-2026-33717 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-33717 by requiring timely remediation of the specific flaw in downloadVideoFromDownloadURL() via the vendor patch that prevents persistent storage of unsanitized remote files.
Enforces validation of input parameters like remote URL and resolution to block downloading and saving of executable content with dangerous extensions to web-accessible directories.
Scans downloaded remote content for malicious code, including executable PHP, at entry points before storage in the temporary web-accessible directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authenticated remote exploit against a public-facing web application (AVideo) that permits unrestricted upload of attacker-controlled PHP content to a web-accessible directory; the early termination path leaves the file in place, directly enabling web-shell deployment and subsequent RCE.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an…
more
invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch.
Deeper analysisAI
CVE-2026-33717 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `downloadVideoFromDownloadURL()` function within `objects/aVideoEncoder.json.php`, which downloads remote content from a provided URL and saves it to a web-accessible temporary directory at `videos/cache/tmpFile/` using the original filename and extension from the URL, including potentially dangerous extensions like `.php`. This creates a risk of unrestricted file uploads (CWE-434), as the file is not properly validated or sanitized before storage. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
An authenticated attacker with low privileges (PR:L) can exploit this by supplying a malicious remote URL pointing to executable PHP content and an invalid `resolution` parameter. The invalid resolution triggers an early `die()` call via `forbiddenPage()`, preventing the temporary file from being moved or cleaned up. This leaves the malicious PHP file persistently accessible under the web root, enabling remote code execution (RCE) with high confidentiality, integrity, and availability impact when the file is subsequently accessed and executed by the web server.
The GitHub security advisory (GHSA-8wf4-c4x3-h952) and patch commit 6da79b43484099a0b660d1544a63c07b633ed3a2 detail the fix, which addresses the early termination and improper file handling to prevent persistent storage of unsanitized remote content in the temporary directory. Security practitioners should update to a patched version beyond 26.0 and review configurations for the `aVideoEncoder.json.php` endpoint.
Details
- CWE(s)