CVE-2026-28502

Critical CVSS: 9.3

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

Vendor

Wwbn

Product

Avideo

CWE

CWE-434

Yayın Tarihi

2026-03-06 04:16:08

Güncelleme

2026-03-16 15:03:31

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-434 Avideo CRITICAL Wwbn 2026

Referanslar

https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db https://github.com/WWBN/AVideo/releases/tag/24.0 https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3

Benzer Kayıtlar

Medium

CVE-2026-34733

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteS…

Medium

CVE-2026-34737

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug…

Medium

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an…

Medium

CVE-2026-34739

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page ref…

Medium

CVE-2026-34740

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link featur…

Medium

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json…