Cyber Resilience

CVE-2026-33717

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33717 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33717 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the `downloadVideoFromDownloadURL()` function within `objects/aVideoEncoder.json.php`, which downloads remote content from a provided URL and saves it to a web-accessible temporary directory at `videos/cache/tmpFile/` using the original filename and extension from the URL, including potentially dangerous extensions like `.php`. This creates a risk of unrestricted file uploads (CWE-434), as the file is not properly validated or sanitized before storage. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

An authenticated attacker with low privileges (PR:L) can exploit this by supplying a malicious remote URL pointing to executable PHP content and an invalid `resolution` parameter. The invalid resolution triggers an early `die()` call via `forbiddenPage()`, preventing the temporary file from being moved or cleaned up. This leaves the malicious PHP file persistently accessible under the web root, enabling remote code execution (RCE) with high confidentiality, integrity, and availability impact when the file is subsequently accessed and executed by the web server.

The GitHub security advisory (GHSA-8wf4-c4x3-h952) and patch commit 6da79b43484099a0b660d1544a63c07b633ed3a2 detail the fix, which addresses the early termination and improper file handling to prevent persistent storage of unsanitized remote content in the temporary directory. Security practitioners should update to a patched version beyond 26.0 and review configurations for the `aVideoEncoder.json.php` endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an…

more

invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The CVE describes an authenticated remote exploit against a public-facing web application (AVideo) that permits unrestricted upload of attacker-controlled PHP content to a web-accessible directory; the early termination path leaves the file in place, directly enabling web-shell deployment and subsequent RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33647Same product: Wwbn Avideo
CVE-2026-28502Same product: Wwbn Avideo
CVE-2025-34436Same product: Wwbn Avideo
CVE-2026-40909Same product: Wwbn Avideo
CVE-2025-34434Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-33717 by requiring timely remediation of the specific flaw in downloadVideoFromDownloadURL() via the vendor patch that prevents persistent storage of unsanitized remote files.

prevent

Enforces validation of input parameters like remote URL and resolution to block downloading and saving of executable content with dangerous extensions to web-accessible directories.

preventdetect

Scans downloaded remote content for malicious code, including executable PHP, at entry points before storage in the temporary web-accessible directory.

References