The vulnerability CVE-2026-33717 affects WWBN AVideo, an open-source video platform, in all versions up to and including 26.0. The root cause lies in the downloadVideoFromDownloadURL() function within the objects/aVideoEncoder.json.php file. This function downloads remote video content and saves it temporarily in a web-accessible directory named videos/cache/tmpFile/. It uses the original filename and extension from the remote URL without sanitization, allowing files with dangerous extensions such as .php to be saved. An attacker can exploit this by supplying a crafted resolution parameter that triggers an early termination of the function via forbiddenPage(), preventing the temporary file from being moved or deleted. Consequently, the malicious PHP file remains accessible under the web root, enabling remote code execution. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring only privileges of a logged-in user but no user interaction. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to its ease of exploitation and potential for full system compromise. A patch has been committed (commit 6da79b43484099a0b660d1544a63c07b633ed3a2) to address this issue by properly handling file uploads and preventing dangerous file types from persisting in web-accessible locations.

If exploited, this vulnerability allows attackers to upload and execute arbitrary PHP code on the affected server, leading to full remote code execution. This compromises the confidentiality of sensitive data stored or processed by the platform, undermines data integrity by allowing unauthorized modifications, and threatens availability through potential service disruption or destruction. Attackers could leverage this access to pivot within the network, deploy malware, or establish persistent backdoors. Given that AVideo is a video hosting platform, organizations relying on it for content delivery or internal video services face risks of data leakage, defacement, or complete system takeover. The ease of exploitation and the lack of required user interaction increase the likelihood of successful attacks, especially in environments where authenticated access is not tightly controlled. This vulnerability could also damage organizational reputation and lead to regulatory compliance issues if exploited.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 6da79b43484099a0b660d1544a63c07b633ed3a2 or apply equivalent fixes to sanitize and validate file uploads rigorously. Restrict write permissions to the videos/cache/tmpFile/ directory and ensure it is not web-accessible or executable by configuring web server settings (e.g., disabling PHP execution in that directory). Implement strict input validation on parameters such as resolution to prevent early termination logic bypass. Employ web application firewalls (WAFs) to detect and block suspicious file upload attempts and anomalous HTTP requests targeting this functionality. Regularly audit and monitor the upload directories for unexpected files and maintain comprehensive logging to detect exploitation attempts. Additionally, enforce least privilege principles for authenticated users and consider multi-factor authentication to reduce the risk of credential abuse.