CVE-2026-28502

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db	Patch
https://github.com/WWBN/AVideo/releases/tag/24.0	Product Release Notes
https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

16 Mar 2026, 15:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wwbn:avideo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~() https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db -~~	() https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db - Patch
References	~~() https://github.com/WWBN/AVideo/releases/tag/24.0 -~~	() https://github.com/WWBN/AVideo/releases/tag/24.0 - Product, Release Notes
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3 -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3 - Vendor Advisory
First Time		Wwbn Wwbn avideo

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 24.0, se identificó una vulnerabilidad de ejecución remota de código (RCE) autenticada en AVideo relacionada con la funcionalidad de carga/importación de plugins. El problema permitía a un administrador autenticado subir un archivo ZIP especialmente diseñado que contenía archivos ejecutables del lado del servidor. Debido a la validación insuficiente del contenido de los archivos extraídos, el archivo se extraía directamente en un directorio de plugins accesible por la web, lo que permitía la ejecución arbitraria de código PHP. Este problema ha sido parcheado en la versión 24.0.

06 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 04:16

Updated : 2026-03-16 15:03

NVD link : CVE-2026-28502

Mitre link : CVE-2026-28502

CVE.ORG link : CVE-2026-28502

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

8.8 /10