CVE-2026-33513
Received Received - Intake
Path Traversal in WWBN AVideo API Enables Remote Code Execution

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33513
EUVD
EUVD-2026-14480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33513 is a high-severity vulnerability in the WWBN AVideo open source video platform (versions up to 26.0). It affects an unauthenticated API endpoint called 'locale' that accepts user input and directly concatenates it into a PHP include path without any validation or restrictions."}, {'type': 'paragraph', 'content': "Because the input is not sanitized or restricted, attackers can perform path traversal attacks by including sequences like '../' to access arbitrary PHP files anywhere under the web root."}, {'type': 'paragraph', 'content': 'This allows attackers to disclose files and execute PHP code from those files. If an attacker can upload or control a PHP file elsewhere on the server, they can achieve remote code execution (RCE).'}] [1]

Impact Analysis

This vulnerability can have serious impacts including:

  • File Disclosure: Attackers can read arbitrary PHP files on the server, potentially exposing sensitive information such as configuration files or secrets.
  • Code Execution: By including attacker-controlled PHP files, attackers can execute arbitrary code on the server, leading to full remote code execution.
  • Confidentiality Breach: Sensitive data can be leaked through disclosed files.
  • No authentication is required to exploit this vulnerability, making it easy for attackers to leverage it remotely over the network.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable API endpoint with path traversal payloads in the `language` parameter to see if arbitrary PHP files under the web root are included and executed.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send an HTTP GET request to the endpoint `/plugin/API/get.json.php` with parameters `APIName=locale` and `language` set to a path traversal string such as `../view/about`.'}, {'type': 'paragraph', 'content': 'Example command using curl to detect file disclosure:'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/plugin/API/get.json.php?APIName=locale&language=../view/about"'}, {'type': 'paragraph', 'content': 'If the response contains the content of the `about.php` page or other unexpected PHP files, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'For detecting potential Remote Code Execution (RCE), if an attacker-controlled PHP file exists, the following command can be used to test execution:'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami"'}, {'type': 'paragraph', 'content': 'If the output of the command (e.g., the username running the web server) is returned, RCE is confirmed.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Reject any path separators (`/`, `\`) and dot characters (`.`) in the `language` parameter to prevent path traversal.
  • Enforce a strict allowlist of valid locale slugs to ensure only expected language files are included.
  • Use `realpath()` or equivalent to canonicalize the target file path and verify it remains within the intended `locale/` directory before including.
  • Avoid using PHP `include` to load translation files; instead, load translations from safe, vetted formats such as JSON or PHP arrays.
  • Add authentication mechanisms such as API secrets or tokens to restrict access to the vulnerable API endpoint.

Since no patched versions are available at the time of the advisory, these mitigations should be applied manually or via configuration changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart