CVE-2026-33513 affects WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The vulnerability arises from an unauthenticated API endpoint identified by the parameter `APIName=locale`, which concatenates user-supplied input directly into a PHP include path without performing canonicalization or enforcing a whitelist. This improper limitation of pathname (CWE-22) allows attackers to perform path traversal attacks, enabling them to include arbitrary PHP files located anywhere under the web root directory. In practical tests, attackers have confirmed the ability to disclose sensitive files and execute code contained within existing PHP files, such as `view/about.php`. The vulnerability can escalate to remote code execution if the attacker can place or control PHP files elsewhere in the directory tree, for example via other upload functionalities or misconfigurations. The vulnerability is exploitable remotely, requires no authentication or user interaction, and impacts confidentiality, integrity, and availability of affected systems. As of the publication date, no official patches or updates have been released by WWBN to address this issue. The CVSS v3.1 base score is 8.6, reflecting its high severity and ease of exploitation. The vulnerability is also associated with CWE-98, indicating improper control of filename for include/require statements in PHP.

The impact of CVE-2026-33513 is significant for organizations deploying WWBN AVideo as it allows unauthenticated attackers to read arbitrary files within the web root, potentially exposing sensitive configuration files, credentials, or user data. More critically, the vulnerability can lead to remote code execution if attackers can upload or otherwise control PHP files on the server, enabling full system compromise. This can result in data breaches, service disruption, defacement, or use of the compromised server as a pivot point for further attacks. Given that AVideo is often used for video hosting and streaming, exploitation could disrupt media services, damage reputation, and lead to regulatory or compliance issues. The lack of available patches increases the urgency for mitigation. Organizations with publicly accessible AVideo instances are at highest risk, especially if other vulnerabilities or misconfigurations allow file uploads or write access. The vulnerability affects confidentiality, integrity, and availability, making it a critical concern for affected deployments worldwide.

Since no official patches are currently available, organizations should implement immediate compensating controls. First, restrict access to the vulnerable API endpoint (`APIName=locale`) using network-level controls such as firewalls, IP whitelisting, or web application firewalls (WAFs) to block unauthenticated external access. Second, implement input validation and sanitization on the server side to prevent path traversal characters (e.g., `../`) from being processed in include paths. Third, review and harden file upload mechanisms and directory permissions to prevent attackers from placing arbitrary PHP files in the web root or other accessible directories. Fourth, monitor web server logs and application logs for suspicious requests attempting path traversal or unusual file inclusions. Fifth, consider isolating the AVideo application in a container or sandbox environment to limit the blast radius of potential exploitation. Finally, maintain regular backups and prepare incident response plans in case of compromise. Organizations should track WWBN announcements for forthcoming patches and apply them promptly once released.