CVE-2026-28502

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db
https://github.com/WWBN/AVideo/releases/tag/24.0
https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3

Configurations

No configuration.

History

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 24.0, se identificó una vulnerabilidad de ejecución remota de código (RCE) autenticada en AVideo relacionada con la funcionalidad de carga/importación de plugins. El problema permitía a un administrador autenticado subir un archivo ZIP especialmente diseñado que contenía archivos ejecutables del lado del servidor. Debido a la validación insuficiente del contenido de los archivos extraídos, el archivo se extraía directamente en un directorio de plugins accesible por la web, lo que permitía la ejecución arbitraria de código PHP. Este problema ha sido parcheado en la versión 24.0.

06 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 04:16

Updated : 2026-03-09 13:36

NVD link : CVE-2026-28502

Mitre link : CVE-2026-28502

CVE.ORG link : CVE-2026-28502

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-28502", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T04:16:08.370", "references": [{"url": "https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db", "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/releases/tag/24.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 24.0, se identific\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) autenticada en AVideo relacionada con la funcionalidad de carga/importaci\u00f3n de plugins. El problema permit\u00eda a un administrador autenticado subir un archivo ZIP especialmente dise\u00f1ado que conten\u00eda archivos ejecutables del lado del servidor. Debido a la validaci\u00f3n insuficiente del contenido de los archivos extra\u00eddos, el archivo se extra\u00eda directamente en un directorio de plugins accesible por la web, lo que permit\u00eda la ejecuci\u00f3n arbitraria de c\u00f3digo PHP. Este problema ha sido parcheado en la versi\u00f3n 24.0."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "security-advisories@github.com"}