WWBN AVideo, an open-source video platform, suffers from a critical path traversal vulnerability identified as CVE-2026-33513 affecting all versions up to and including 26.0. The flaw exists in an unauthenticated API endpoint named `locale`, which concatenates user-supplied input directly into an include path without performing canonicalization or enforcing a whitelist. This improper limitation of pathname (CWE-22) allows attackers to traverse directories by manipulating the input, thereby including arbitrary PHP files located under the web root. In practical tests, this vulnerability enabled attackers to disclose sensitive files and execute code within existing PHP files such as `view/about.php`. While direct remote code execution (RCE) is not guaranteed solely through this flaw, it becomes feasible if the attacker can place or control PHP files elsewhere in the application’s directory structure, effectively escalating the attack to full RCE. The vulnerability is exploitable remotely without any authentication or user interaction, making it highly dangerous. Despite its severity, no official patches or updates have been released at the time of publication. The CVSS v3.1 score of 8.6 reflects the high impact on confidentiality and availability, with low attack complexity and no privileges required. The vulnerability also relates to CWE-98, indicating improper control of filename for inclusion. This combination of factors makes CVE-2026-33513 a critical threat to all deployments of WWBN AVideo prior to version 26.1.

The impact of CVE-2026-33513 on organizations using WWBN AVideo is significant. Exploitation can lead to unauthorized disclosure of sensitive files, potentially exposing configuration files, source code, or other private data. The ability to include arbitrary PHP files can allow attackers to execute arbitrary code within the context of the web server, leading to partial or full compromise of the affected system. If attackers can upload or control PHP files elsewhere on the server, they can achieve full remote code execution, enabling them to execute arbitrary commands, pivot within the network, or deploy persistent backdoors. This can result in data breaches, service disruption, defacement, or use of the compromised server as a launchpad for further attacks. Given the unauthenticated nature of the vulnerability and the lack of required user interaction, exploitation can be automated and widespread. Organizations relying on AVideo for video hosting or streaming services face risks to their operational continuity, data confidentiality, and reputation. The absence of a patch increases exposure time, urging immediate mitigation efforts. Additionally, attackers may leverage this vulnerability to target high-value organizations using AVideo, increasing the threat to sectors such as media, education, and entertainment.

Until an official patch is released, organizations should implement several specific mitigations to reduce risk. First, disable or restrict access to the vulnerable `locale` API endpoint, especially from untrusted networks or the public internet, using web application firewalls (WAFs) or network access controls. Second, implement strict input validation and sanitization on all user-supplied inputs, particularly those used in file path construction, enforcing canonicalization and whitelisting allowed filenames or directories. Third, review and harden file permissions on the web server to prevent unauthorized upload or modification of PHP files outside intended directories, limiting the attacker's ability to escalate to full RCE. Fourth, monitor web server logs and application logs for suspicious requests containing path traversal patterns such as '../' sequences or unusual file inclusion attempts. Fifth, consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block exploitation attempts in real time. Finally, maintain regular backups and prepare incident response plans to quickly recover from potential compromises. Organizations should also track WWBN’s updates closely and apply patches immediately once available.