The vulnerability identified as CVE-2026-33483 affects WWBN AVideo, an open-source video platform, specifically versions up to and including 26.0. The issue resides in the aVideoEncoderChunk.json.php endpoint, which is a standalone PHP script that does not incorporate authentication mechanisms, framework includes, or resource management controls. An unauthenticated remote attacker can send arbitrary POST requests to this endpoint, which writes the data to temporary files in the /tmp/ directory. Critically, there are no limits on the size or rate of these writes, nor is there any cleanup mechanism to remove these files. This design flaw allows an attacker to exhaust the server's disk space by continuously sending large POST payloads, resulting in a denial of service (DoS) condition that can incapacitate the entire server. The vulnerability is classified under CWE-770, which concerns allocation of resources without limits or throttling. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation (no authentication or user interaction required) and the impact on availability. Although no known exploits are reported in the wild, a patch has been committed (commit 33d1bae6c731ef1682fcdc47b428313be073a5d1) to address this issue by presumably adding authentication, resource limits, or cleanup mechanisms.

The primary impact of CVE-2026-33483 is denial of service through disk space exhaustion, which can disrupt the availability of the AVideo platform and potentially other services running on the same server. Organizations relying on AVideo for video streaming or content delivery may experience service outages, loss of user trust, and operational downtime. The lack of authentication and resource controls means attackers can easily exploit this vulnerability remotely without any credentials or user interaction, increasing the risk of automated attacks and large-scale exploitation. This can lead to significant operational disruption, especially for organizations with high traffic or critical video infrastructure. Additionally, disk exhaustion may cause broader system instability or data loss if the server's storage is shared with other applications or services. Recovery from such an attack may require manual cleanup and system restarts, further increasing downtime and operational costs.

Organizations should immediately upgrade to a patched version of WWBN AVideo that includes the fix from commit 33d1bae6c731ef1682fcdc47b428313be073a5d1. Until patching is possible, implement network-level controls such as rate limiting and IP filtering to restrict access to the aVideoEncoderChunk.json.php endpoint. Deploy web application firewalls (WAFs) with custom rules to detect and block abnormal POST request patterns targeting this endpoint. Monitor disk usage closely and set up alerts for unusual growth in the /tmp/ directory. Consider isolating the AVideo service on dedicated infrastructure with limited disk quotas to prevent collateral damage. Review and harden server configurations to restrict file write permissions and implement cleanup scripts to remove stale temporary files regularly. Additionally, conduct regular security audits and penetration testing focused on resource exhaustion vectors to identify similar issues proactively.