Arbitrary file upload in AVideo - CVE-2026-33717
Published: April 8, 2026
Vulnerability identifier: #VU125474
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33717
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in the downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php when processing a downloadURL request with an invalid resolution value. A remote user can supply a crafted remote URL pointing to a php file and trigger early termination after the file is written to leave an executable file under the web root to execute arbitrary code.
Exploitation requires upload permissions and an attacker-controlled server hosting the payload file.
How to mitigate CVE-2026-33717
Install security update from vendor's website.