CVE-2026-33513: Unauthenticated Local File Inclusion in WWBN AVideo API Plugin

WWBN AVideo is an open-source video platform that utilizes a plugin-based architecture for extended functionality. The API plugin, specifically within the locale handling functionality, exposes a high-severity vulnerability tracked as CVE-2026-33513. This flaw allows unauthenticated attackers to perform Local File Inclusion (LFI) operations via crafted HTTP requests.

The vulnerability manifests in the get.json.php endpoint, which processes API requests without requiring authentication or session validation. By manipulating the APIName and language parameters, attackers can force the application to traverse the directory structure and include arbitrary PHP files from the local filesystem. This maps directly to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-98 (PHP Remote File Inclusion).

Exploitation of this vulnerability results in immediate information disclosure, as attackers can read sensitive configuration files or application source code. If the attacker can place a PHP file on the target filesystem through a separate upload mechanism, the vulnerability escalates to arbitrary Remote Code Execution (RCE) within the context of the web server process.

The root cause of CVE-2026-33513 lies in the inadequate validation and sanitization of user-supplied input within the get_api_locale() method. This method is invoked when the APIName parameter is set to locale during a request to the plugin/API/get.json.php endpoint. The endpoint explicitly bypasses standard domain and authentication checks by setting $global['bypassSameDomainCheck'] = 1.

Once the endpoint receives the request, it extracts the language parameter from the HTTP GET or POST payload and processes it. The application converts the input to lowercase using strtolower() but fails to perform any path canonicalization or sanitization. It does not strip directory traversal sequences such as ../ or validate the input against an allowed list of locale identifiers.

The application then constructs a file path by concatenating the base system root path, the locale/ directory string, and the user-supplied language parameter. This constructed path is passed directly to the file_exists() function and subsequently to a PHP include statement. Because the include directive evaluates the target file as PHP code, an attacker can specify an arbitrary local file path to be executed by the interpreter.

The vulnerable code path begins in plugin/API/API.php within the get_api_locale() method. The method extracts the language parameter and constructs the file path without sanitization. The inclusion of the unsanitized $parameters['language'] variable enables the path traversal directly into the include statement.

// Vulnerable code in plugin/API/API.php
$parameters['language'] = strtolower($parameters['language']);
$file = "{$global['systemRootPath']}locale/{$parameters['language']}.php";
 
if (!file_exists($file)) {
    return new ApiObject("This language does not exists");
}
include $file;

Because no official patch is currently available, remediation requires manual intervention by developers. A robust fix must implement strict path validation using PHP's realpath() function. This function resolves all symbolic links and traversal characters, allowing the application to verify that the final resolved path resides strictly within the intended locale directory.

// Recommended mitigation code
$baseDir = realpath($global['systemRootPath'] . 'locale/');
$requestedFile = realpath($baseDir . '/' . $parameters['language'] . '.php');
 
// Verify the resolved path starts with the base directory
if ($requestedFile === false || strpos($requestedFile, $baseDir) !== 0) {
    return new ApiObject("Invalid locale specified");
}
include $requestedFile;

Exploitation requires sending a single, unauthenticated HTTP GET request to the vulnerable AVideo instance. The attacker targets the /plugin/API/get.json.php endpoint, setting APIName=locale to trigger the vulnerable code path. The payload is injected into the language parameter using standard directory traversal sequences.

GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1
Host: target.example.com

In this information disclosure scenario, the application constructs the path locale/../view/about.php and executes the about.php file. The server returns the rendered HTML of the target page within the API response. Attackers can iterate through known application paths to extract sensitive data, hardcoded credentials, or internal configuration details.

To achieve Remote Code Execution, the attacker must first upload a malicious PHP file to the server. This typically involves leveraging secondary features such as avatar uploads, video attachments, or inducing errors to poison log files. Once the payload is staged on the filesystem, the attacker references its location via the traversal vector. For example, accessing language=../../videos/user_avatar/shell executes the staged shell.php payload, granting full command execution capabilities.

The vulnerability carries a High severity CVSS v3.1 score of 8.6, reflecting the minimal complexity and lack of authentication required for exploitation. The attack vector is strictly network-based, allowing remote adversaries to target public-facing AVideo installations over standard HTTP/HTTPS ports. No user interaction or specialized privileges are necessary.

The primary impact is a total loss of confidentiality regarding the application's source code and configuration. By reading files such as configuration.php, attackers can extract database credentials, cryptographic keys, and internal API tokens. This information typically enables horizontal movement within the infrastructure or direct access to the underlying backend systems.

The secondary, more severe impact is the potential for Remote Code Execution. While RCE depends on the existence of a writable directory accessible via the web server or another file upload vector, modern web applications rarely lack such mechanisms. Successful RCE grants the attacker the execution privileges of the web server process, leading to full system compromise, data exfiltration, and persistent localized access.

As of the vulnerability's disclosure, no official patched versions are available for AVideo. System administrators must apply immediate mitigations to protect exposed installations. The most effective interim solution is to disable the API plugin entirely via the AVideo plugin manager if the functionality is not business-critical.

For environments where the API plugin must remain active, administrators should implement Web Application Firewall (WAF) rules to inspect incoming traffic targeting the get.json.php endpoint. The WAF must block any requests where the language parameter contains directory traversal characters such as ../ or ..\. This provides a temporary protective layer against automated exploitation attempts.

Developers maintaining custom AVideo deployments must manually patch the get_api_locale() method. The implementation must transition away from using PHP include statements for language file processing. The optimal architectural fix involves migrating locale data to JSON format and parsing it with json_decode(), completely eliminating the possibility of executing arbitrary code during the localization process.