The vulnerability CVE-2026-33647 affects WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The root cause lies in the ImageGallery::saveFile() method, which uses the PHP finfo function to validate the MIME type of uploaded files, ensuring the content matches expected image types. However, the method derives the saved file's extension directly from the user-supplied original filename without enforcing an allowlist or validating that the extension corresponds to the MIME type. This flaw allows an attacker to upload a polyglot file that begins with valid JPEG magic bytes but contains embedded PHP code after the image data. Because the MIME type check passes, the file is accepted and saved with the .php extension in a directory accessible via the web server. Consequently, the attacker can execute arbitrary PHP code remotely by accessing the uploaded file through a browser, resulting in Remote Code Execution (RCE). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no known exploits are reported in the wild yet, the vulnerability is critical due to the ease of exploitation and potential damage. A patch has been committed (commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae) that presumably enforces stricter extension validation or sanitization. Organizations using affected versions should prioritize patching and review file upload handling mechanisms.

Successful exploitation of this vulnerability allows attackers to execute arbitrary PHP code on the server hosting the AVideo platform. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of content, deployment of malware or ransomware, and use of the server as a pivot point for further attacks within the network. The confidentiality, integrity, and availability of the affected systems are severely impacted. Given that AVideo is a video hosting platform, attackers could also deface or manipulate video content, disrupt service availability, or exfiltrate user data. The ease of exploitation with low privileges and no user interaction increases the risk of automated attacks and widespread compromise. Organizations relying on AVideo for video content delivery or internal communications face significant operational and reputational risks if unpatched.

1. Immediately apply the official patch referenced by commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae to all affected AVideo installations. 2. Implement strict server-side validation of uploaded file extensions against a whitelist of allowed types, ensuring the extension matches the MIME type. 3. Sanitize and normalize filenames before saving to prevent injection of dangerous extensions. 4. Configure the web server to disallow execution of scripts in upload directories, for example, by disabling PHP execution in those folders via .htaccess or server configuration. 5. Employ Content Security Policy (CSP) headers and other web application firewalls (WAF) to detect and block suspicious upload attempts. 6. Monitor logs for unusual file uploads or access patterns to detect exploitation attempts early. 7. Educate developers and administrators on secure file upload handling best practices to prevent similar vulnerabilities. 8. Consider isolating the upload directory in a sandboxed environment with minimal privileges to limit impact if exploitation occurs.