Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3
Patch x_refsource_misc
https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db
Release Notes x_refsource_misc
https://github.com/WWBN/AVideo/releases/tag/24.0
Scores
CVSS v3
8.8
EPSS
0.0067
EPSS Percentile
47.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (3)
wwbn/avideo
< 24.0
wwbn/avideo
0Packagist
WWBN/AVideo
< 24.0
Published
Mar 06, 2026
Tracked Since
Mar 06, 2026