CVE-2026-33717 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacker triggers an early `die()` via `forbiddenPage()` before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at `videos/cache/tmpFile/`. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33717 affects the WWBN AVideo platform version 26.0 and earlier, representing a critical security flaw in the video encoding and download functionality. This issue stems from improper handling of temporary file creation and cleanup processes within the `downloadVideoFromDownloadURL()` function located in `objects/aVideoEncoder.json.php`. The flaw enables attackers to manipulate the system into creating executable PHP files in web-accessible directories, creating a persistent backdoor opportunity.
The technical implementation of this vulnerability involves the `downloadVideoFromDownloadURL()` function which processes remote video content by downloading it to a temporary directory designated as `videos/cache/tmpFile/`. The function utilizes the original URL's filename and extension to determine the temporary file name, including preserving the `.php` extension when present in the source URL. This behavior becomes exploitable when an attacker provides a malicious `resolution` parameter that triggers an early termination of the function execution through the `forbiddenPage()` function, causing the `die()` statement to execute before the temporary file undergoes proper cleanup or relocation.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent threat vector that remains active until manual system cleanup occurs. The created PHP files are stored in the web root directory structure, making them immediately executable by web servers without requiring additional privileges or complex attack chains. This vulnerability directly aligns with CWE-434, which describes insecure file upload and download scenarios where the system fails to properly validate file types and locations. The persistence of these executable files in the web-accessible `videos/cache/tmpFile/` directory provides attackers with continuous access to execute arbitrary code on the affected server.
The attack surface is particularly concerning due to the combination of improper temporary file handling and inadequate input validation. When the `resolution` parameter is manipulated to trigger the early `die()` execution, the temporary file remains in the web-accessible directory with its original extension, including potentially malicious PHP code. This vulnerability also maps to ATT&CK technique T1505.003, which covers "Obfuscated Files or Information" and "Web Shell" creation, as the persistent PHP files can be used to establish long-term access to the compromised system. The lack of proper file cleanup mechanisms and the absence of validation for the temporary file names creates an exploitable condition that allows attackers to inject and maintain web shells within the platform's directory structure.
Mitigation strategies should focus on immediate patch application to version 26.1 or later, which contains the necessary commit 6da79b43484099a0b660d1544a63c07b633ed3a2 that addresses the core issue. Additionally, administrators should implement proper temporary file validation and cleanup procedures, ensuring that all downloaded content undergoes strict extension filtering and that temporary files are properly removed regardless of execution flow. Network-level monitoring should be enhanced to detect unusual file creation patterns in web-accessible directories, and the system should be configured to prevent execution of PHP files in cache directories. Regular security audits of file handling functions and proper input validation should be enforced across all platform components to prevent similar vulnerabilities from emerging in future releases.