Improper Control of Filename for Include/Require Statement in PHP Program in AVideo - CVE-2026-33513
Published: April 8, 2026
Vulnerability identifier: #VU125468
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33513
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and execute arbitrary code.
The vulnerability exists due to improper control of filename for include statement in PHP program in the API locale endpoint when processing a crafted language parameter. A remote attacker can send a specially crafted request with path traversal sequences to disclose sensitive information and execute arbitrary code.
Only deployments with the API plugin enabled are vulnerable, and code execution requires a writable or otherwise attacker-controlled PHP file to be present under the web root.
How to mitigate CVE-2026-33513
Install security update from vendor's website.