CVE-2026-33513 Overview
WWBN AVideo is an open source video platform that contains a critical path traversal vulnerability in versions up to and including 26.0. An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path without any canonicalization or whitelist validation. This allows attackers to use path traversal sequences to include arbitrary PHP files under the web root, potentially leading to file disclosure, code execution, and in certain scenarios, full remote code execution.
Critical Impact
Unauthenticated attackers can exploit this path traversal vulnerability to disclose sensitive files and execute existing PHP code on the server. If an attacker can place or control a PHP file elsewhere in the directory tree, this can escalate to complete remote code execution. No patched versions are currently available.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All installations using the vulnerable APIName=locale endpoint
Discovery Timeline
- 2026-03-23 - CVE-2026-33513 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33513
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and exists within the AVideo platform's API layer. The vulnerable endpoint APIName=locale accepts user-supplied input that is directly concatenated into a file path used in a PHP include statement. The absence of input canonicalization or whitelist validation means that directory traversal sequences such as ../ are accepted and processed without restriction.
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious requests that traverse the directory structure to include arbitrary PHP files located anywhere under the web root. During testing, researchers confirmed file disclosure and code execution of existing PHP content, such as view/about.php. The vulnerability becomes significantly more severe if an attacker can upload or otherwise place a malicious PHP file on the server, as this would enable full remote code execution.
Root Cause
The root cause is improper input validation in the locale API endpoint. User-controlled input is concatenated directly into file include paths without:
- Path canonicalization to resolve traversal sequences
- Whitelist validation to restrict included files to legitimate locales
- Proper sanitization to strip dangerous path components
This allows attackers to break out of the intended directory and access arbitrary PHP files throughout the web root hierarchy.
Attack Vector
The vulnerability is exploited via network requests to the unauthenticated APIName=locale endpoint. Attackers submit crafted requests containing path traversal sequences (e.g., ../) in the locale parameter. When processed, the server includes the attacker-specified PHP file, executing its code in the context of the web application. The attack requires no special privileges or user interaction, making it highly accessible to remote attackers.
The exploitation path follows this pattern:
- Attacker identifies the vulnerable locale API endpoint
- Attacker crafts a request with path traversal sequences pointing to a target PHP file
- The server processes the request and includes the specified file without validation
- PHP code within the included file is executed on the server
For detailed technical information regarding this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33513
Indicators of Compromise
- HTTP requests to /api/ endpoints containing APIName=locale with path traversal sequences (../)
- Web server logs showing unusual file access patterns or errors related to file inclusion
- Unexpected PHP file execution or access to files outside normal application paths
- Evidence of reconnaissance activity targeting API endpoints
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns in API requests
- Implement intrusion detection rules to flag requests containing ../ sequences to the locale API
- Review web server access logs for suspicious requests to the APIName=locale endpoint
- Deploy application-level logging to track file inclusion operations
Monitoring Recommendations
- Enable verbose logging for API endpoints, particularly those handling locale or file operations
- Configure alerting for repeated requests with path traversal patterns from single IP addresses
- Monitor for anomalous PHP file access or execution events in server logs
- Implement rate limiting on API endpoints to slow down enumeration attempts
How to Mitigate CVE-2026-33513
Immediate Actions Required
- Restrict access to the APIName=locale endpoint until a patch is available
- Implement WAF rules to block requests containing path traversal sequences
- Consider disabling the vulnerable API endpoint entirely if locale functionality is not critical
- Audit server logs for evidence of exploitation attempts
- Implement network-level access controls to limit exposure of the AVideo platform
Patch Information
As of the time of publication, no patched versions of WWBN AVideo are available. Organizations should monitor the GitHub Security Advisory for updates on patch availability and apply security updates immediately when released.
Workarounds
- Use web application firewall (WAF) rules to block requests containing ../ or encoded traversal sequences to API endpoints
- Implement access control lists (ACLs) to restrict API access to trusted IP addresses only
- Remove or disable the vulnerable locale API functionality if not required for operations
- Apply principle of least privilege to web server file system permissions to limit impact of successful exploitation
# Example WAF rule to block path traversal attempts (ModSecurity syntax)
SecRule REQUEST_URI "@contains APIName=locale" "id:1001,phase:1,deny,status:403,chain"
SecRule ARGS "@contains ../" "t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
