CVE-2026-33483 is a resource exhaustion vulnerability classified under CWE-770 affecting WWBN AVideo, an open-source video platform. The vulnerability exists in the aVideoEncoderChunk.json.php endpoint, which is a standalone PHP script present in versions up to and including 26.0. This script does not implement any authentication or authorization checks, nor does it include framework protections or resource management controls. An unauthenticated remote attacker can send arbitrary POST requests containing data that the script writes directly to persistent temporary files in the /tmp/ directory. Critically, there are no limits on the size or rate of data that can be written, and no cleanup mechanism to remove these files after use. This allows an attacker to rapidly exhaust disk space on the server, causing denial of service by preventing normal operation of the platform and potentially affecting other services on the host. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to ease of exploitation (no privileges or user interaction required) and significant impact on availability. Although no known exploits are reported in the wild yet, the simplicity of the attack vector makes it a likely target for attackers seeking to disrupt services. A patch has been committed to address this issue by introducing authentication and resource limits, and users are strongly advised to upgrade to versions beyond 26.0 or apply the patch manually.

The primary impact of CVE-2026-33483 is denial of service through disk space exhaustion. Organizations running vulnerable versions of WWBN AVideo risk complete service disruption of their video streaming platforms, which can affect user experience, business continuity, and reputation. The attack can also impact other applications sharing the same server or storage resources, potentially causing broader operational outages. Since the vulnerability requires no authentication or user interaction, it can be exploited by any remote attacker, increasing the risk of automated attacks and large-scale disruptions. For organizations relying on AVideo for critical communications, media delivery, or educational content, this vulnerability could lead to significant downtime and financial losses. Additionally, recovery from disk exhaustion may require manual intervention, including cleanup and potential server reboots, increasing operational overhead. While confidentiality and integrity are not directly compromised, the availability impact alone justifies urgent remediation.

To mitigate CVE-2026-33483, organizations should immediately upgrade WWBN AVideo to a version later than 26.0 that includes the patch from commit 33d1bae6c731ef1682fcdc47b428313be073a5d1. If upgrading is not immediately possible, administrators should implement temporary controls such as: 1) Restricting access to the aVideoEncoderChunk.json.php endpoint via network-level controls (firewalls, IP whitelisting) to trusted sources only. 2) Implementing web application firewall (WAF) rules to detect and block abnormal POST request sizes or rates targeting this endpoint. 3) Monitoring disk usage on servers hosting AVideo closely and setting alerts for unusual growth in /tmp/ directory files. 4) Applying OS-level quotas or limits on /tmp/ directory usage per process or user to prevent total disk exhaustion. 5) Regularly cleaning up temporary files manually or via automated scripts until the patch is applied. Additionally, reviewing server and application logs for suspicious POST requests to this endpoint can help detect exploitation attempts early. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure backups and recovery procedures are tested to minimize downtime in case of an attack.