Arbitrary file upload in AVideo - CVE-2026-33647
Published: May 4, 2026
Vulnerability identifier: #VU129515
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33647
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in ImageGallery::saveFile() when handling file uploads through the ImageGallery upload endpoint. A remote user can upload a specially crafted polyglot file with a dangerous extension to execute arbitrary code.
Exploitation requires the ImageGallery plugin to be enabled, and the user must have manage permission on the targeted Image or Gallery video.
How to mitigate CVE-2026-33647
Install security update from vendor's website.