CVE-2026-33717 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting WWBN AVideo, an open-source video platform. In versions up to and including 26.0, the function downloadVideoFromDownloadURL() in the file objects/aVideoEncoder.json.php downloads remote content and saves it to a temporary web-accessible directory named videos/cache/tmpFile/. The filename and extension are directly derived from the original URL, including potentially dangerous extensions like .php. An attacker can supply an invalid resolution parameter that triggers an early termination of the function via forbiddenPage(), which calls die() before the temporary file is moved or deleted. This results in the malicious PHP file remaining accessible under the web root, enabling remote code execution. The vulnerability requires the attacker to have low privilege authentication but does not require user interaction. The CVSS v3.1 score is 8.8, indicating high severity with network attack vector, low attack complexity, privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. A patch has been committed (commit 6da79b43484099a0b660d1544a63c07b633ed3a2) to fix this issue by ensuring proper handling and cleanup of temporary files and validation of uploaded content.

The impact of CVE-2026-33717 is significant for organizations using WWBN AVideo versions 26.0 and earlier. Successful exploitation allows attackers to upload and execute arbitrary PHP code on the server, leading to full system compromise. This can result in unauthorized data access or exfiltration, defacement or manipulation of video content, deployment of malware or ransomware, and disruption of video services. Since the malicious files remain persistently accessible, attackers can maintain long-term presence and pivot within the network. The vulnerability affects confidentiality, integrity, and availability of the affected systems. Given the nature of video platforms, organizations relying on AVideo for content delivery, media hosting, or internal communications face reputational damage and operational downtime. The ease of exploitation combined with the high impact makes this a critical risk for affected deployments.

To mitigate CVE-2026-33717, organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 6da79b43484099a0b660d1544a63c07b633ed3a2 or later. If upgrading is not immediately possible, implement the following controls: 1) Restrict write permissions on the videos/cache/tmpFile/ directory to prevent execution of uploaded files; 2) Employ web server configuration to disable execution of PHP files in temporary upload directories; 3) Implement strict input validation and sanitization on parameters such as resolution to prevent triggering early termination; 4) Monitor the temporary directories for unexpected PHP or executable files and remove them promptly; 5) Enforce least privilege access for authenticated users to reduce exploitation risk; 6) Use web application firewalls (WAFs) to detect and block suspicious upload attempts; 7) Conduct regular security audits and penetration testing focused on file upload functionalities. These measures help reduce attack surface and prevent persistent malicious file uploads.