CVE-2026-33647

{"id": "CVE-2026-33647", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-23T19:16:40.750", "references": [{"url": "https://github.com/WWBN/AVideo/commit/345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjw-phj6-g75w", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el m\u00e9todo 'ImageGallery::saveFile()' valida el contenido de los archivos subidos usando la detecci\u00f3n de tipo MIME 'finfo' pero deriva la extensi\u00f3n del nombre de archivo guardado del nombre de archivo original proporcionado por el usuario sin una verificaci\u00f3n de lista de permitidos. Un atacante puede subir un archivo pol\u00edglota (bytes m\u00e1gicos JPEG v\u00e1lidos seguidos de c\u00f3digo PHP) con una extensi\u00f3n '.php'. La verificaci\u00f3n MIME pasa, pero el archivo se guarda como un archivo '.php' ejecutable en un directorio accesible por web, logrando Ejecuci\u00f3n Remota de C\u00f3digo. El commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contiene un parche."}], "lastModified": "2026-03-25T17:54:10.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}