CVE-2026-33483 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33483 affects the WWBN AVideo platform, specifically targeting version 26.0 and earlier releases. This represents a critical security flaw in the platform's architecture that stems from inadequate authentication mechanisms and resource management controls within the `aVideoEncoderChunk.json.php` endpoint. The endpoint operates as a standalone PHP script without any framework integration or security safeguards, creating a significant attack surface for malicious actors. This design choice violates fundamental security principles by exposing a core system component to unauthenticated access without proper access controls or input validation measures.
The technical implementation of this vulnerability allows attackers to exploit the lack of authentication by sending arbitrary POST data directly to the vulnerable endpoint. The system processes these requests without any size limitations, rate limiting, or cleanup procedures, enabling attackers to continuously write data to temporary files located in the `/tmp/` directory. This directory typically resides on the same filesystem as the server's critical operations, making it a prime target for resource exhaustion attacks. The absence of any resource caps or monitoring mechanisms means that malicious actors can rapidly consume available disk space without detection or interruption, effectively creating a denial of service condition that impacts the entire server infrastructure.
The operational impact of this vulnerability extends beyond simple service disruption, as it can lead to complete system compromise and potential data loss. When disk space becomes exhausted, the server may become unresponsive to legitimate users and system processes, causing cascading failures throughout the platform's functionality. This type of attack can be executed remotely without requiring any credentials or prior access, making it particularly dangerous for publicly accessible systems. The vulnerability directly maps to CWE-400, which addresses "Uncontrolled Resource Consumption" or "Resource Exhaustion," and aligns with ATT&CK technique T1499.004 for "Resource Hijacking" and T1499.001 for "Network Denial of Service." The lack of proper input sanitization and resource management creates a perfect storm for attackers to leverage this weakness for persistent disruption of service.
The patch implemented in commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 addresses this vulnerability by introducing proper authentication mechanisms and implementing resource limits for the endpoint. Security best practices recommend that all server endpoints should require proper authentication, implement rate limiting to prevent abuse, and include automated cleanup procedures for temporary files. Organizations should immediately apply this patch to protect their systems from potential exploitation and should also conduct thorough security audits of other endpoints within the platform to identify similar vulnerabilities. The incident underscores the importance of following secure coding practices, including input validation, proper access controls, and resource management, particularly in open source platforms that may be deployed without adequate security hardening by administrators.