The vulnerability CVE-2026-33647 affects WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The root cause lies in the ImageGallery::saveFile() method, which validates uploaded files using MIME type detection via the finfo library. However, the filename extension used to save the file is taken directly from the user-supplied original filename without any allowlist or sanitization. This allows an attacker to craft a polyglot file that begins with valid JPEG magic bytes to pass the MIME check but contains embedded PHP code appended after the image data. When uploaded with a .php extension, the file is saved in a web-accessible directory as an executable PHP script. This leads to remote code execution (RCE) on the server with the privileges of the web server process. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability is critical due to the ease of exploitation and potential for full system compromise. A patch has been committed (commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae) that addresses the issue by enforcing an allowlist on file extensions and improving upload validation. The flaw highlights the risk of relying solely on MIME type checks without validating file extensions and underscores the importance of secure file upload handling in web applications.

This vulnerability enables remote attackers to execute arbitrary PHP code on affected WWBN AVideo servers by uploading malicious files disguised as images. Successful exploitation can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of content, installation of backdoors or malware, and disruption of service. Given that AVideo is a video platform often deployed in media, education, and enterprise environments, the impact extends to data confidentiality breaches, reputational damage, and potential regulatory non-compliance. The attack requires only low privileges and no user interaction, increasing the risk of automated exploitation. Organizations running vulnerable versions face significant risk of compromise, especially if the server is internet-facing. The vulnerability also facilitates lateral movement within networks if exploited, potentially affecting broader organizational infrastructure.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae or later. If upgrading is not immediately possible, implement strict server-side validation of uploaded files by enforcing an allowlist of permitted file extensions and rejecting any uploads with executable extensions such as .php. Additionally, configure the web server to prevent execution of scripts in upload directories by disabling PHP execution or using separate storage locations outside the web root. Employ file integrity monitoring to detect unauthorized file uploads and conduct regular security audits of upload handling code. Network-level controls such as web application firewalls (WAFs) can help detect and block suspicious upload attempts. Finally, educate developers on secure file upload practices, including validating both MIME types and file extensions, and sanitizing filenames to prevent injection of malicious code.