CVE-2026-40909
Published: 21 April 2026
Summary
CVE-2026-40909 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the core path traversal (CWE-22) by requiring validation and sanitization of the unsanitized $_POST['flag'] parameter used in file path construction and $_POST['code'] written via fwrite().
Enforces logical access controls to restrict file write operations within the intended locale/ directory, preventing traversal to arbitrary writable locations for RCE.
Mitigates the CSRF exploitation vector lacking token validation and using SameSite=None cookies by requiring session authenticity protections on the locale/save.php endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing web application (AVideo platform) directly enables exploitation of public-facing applications (T1190) and facilitates deployment of web shells via arbitrary PHP file writes for RCE (T1100).
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then…
more
written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
Deeper analysisAI
CVE-2026-40909 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open source video platform, affecting versions 29.0 and prior. The issue resides in the `locale/save.php` endpoint, where line 30 directly concatenates the unsanitized `$_POST['flag']` parameter into a file path, and line 40 writes the `$_POST['code']` parameter verbatim to that path using `fwrite()`. This allows attackers to construct paths that escape the intended `locale/` directory and target arbitrary writable locations on the filesystem, enabling the creation of malicious `.php` files for remote code execution (RCE). The vulnerability carries a CVSS v3.1 score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).
An authenticated admin user—or any attacker capable of tricking an admin into a cross-site request forgery (CSRF) interaction—can exploit this flaw. The endpoint lacks CSRF token validation, and session cookies use `SameSite=None`, facilitating CSRF attacks. By supplying a crafted `flag` value (e.g., using `../` sequences) and malicious PHP code in `code`, the attacker can write executable files to server locations like web roots, leading to full RCE on the host.
The fixing commit, 57f89ffbc27d37c9d9dd727212334846e78ac21a, addresses the issue in the WWBN/AVideo repository. GitHub Security Advisory GHSA-6rc6-p838-686f provides further details on the vulnerability and recommends upgrading to a patched version.
Details
- CWE(s)