#VU125468 Improper Control of Filename for Include/Require Statement in PHP Program in AVideo - CVE-2026-33513
Published: April 8, 2026
Vulnerability identifier: #VU125468
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33513
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to disclose sensitive information and execute arbitrary code.
The vulnerability exists due to improper control of filename for include statement in PHP program in the API locale endpoint when processing a crafted language parameter. A remote attacker can send a specially crafted request with path traversal sequences to disclose sensitive information and execute arbitrary code.
Only deployments with the API plugin enabled are vulnerable, and code execution requires a writable or otherwise attacker-controlled PHP file to be present under the web root.
Remediation
Install security update from vendor's website.