Executive Summary

CVE-2026-33717 is a high-severity Remote Code Execution (RCE) vulnerability in the WWBN AVideo platform affecting versions up to 26.0. The issue arises in the function downloadVideoFromDownloadURL() which downloads remote files to a web-accessible temporary directory using the original filename and extension from the URL, including potentially dangerous .php files.

If an attacker provides an invalid resolution parameter, the function triggers an early termination before the temporary file is moved or deleted. This leaves the malicious PHP file persistently accessible under the web root, allowing the attacker to execute arbitrary PHP code by accessing the file directly.

The vulnerability requires an authenticated user with upload permissions to exploit, who can upload a PHP webshell and trigger the flaw with a specially crafted request.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with upload rights to execute arbitrary PHP code remotely on the server hosting the AVideo platform.

• Full server compromise, including reading and writing files.
• Execution of system commands.
• Access to database credentials.
• Lateral movement within the network.
• Destruction or modification of platform content.

The attack requires only one HTTP request plus hosting the malicious payload and leaves minimal traces in normal logs.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of unexpected or suspicious PHP files in the web-accessible temporary directory located at videos/cache/tmpFile/. Since the vulnerability leaves executable PHP files accessible under this directory, scanning for such files can help identify exploitation.'}, {'type': 'paragraph', 'content': 'You can use commands to list PHP files in the vulnerable directory, for example:'}, {'type': 'list_item', 'content': "find /path/to/avideo/videos/cache/tmpFile/ -type f -name '*.php'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP access logs for requests to files under videos/cache/tmpFile/ with .php extensions may reveal attempts to execute malicious payloads.'}, {'type': 'paragraph', 'content': 'Since the attack requires an authenticated user with upload permissions, reviewing upload activity logs and looking for unusual or invalid resolution parameters in requests to the downloadVideoFromDownloadURL() endpoint can also help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Apply the patch from commit 6da79b43484099a0b660d1544a63c07b633ed3a2 which adds validation of the resolution parameter before downloading and validates the file extension of the download URL against a whitelist to prevent saving dangerous files.
• Add a .htaccess file in the videos/cache/tmpFile/ directory to deny execution of PHP and related script files, effectively disabling PHP execution in that directory.
• Restrict upload permissions to trusted users only, as exploitation requires authenticated users with upload rights.
• Monitor the temporary directory for any unexpected PHP files and remove them immediately.

Useful 0 Not Useful 0