Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33513

CVE-2026-33513: WWBN AVideo Path Traversal Vulnerability

CVE-2026-33513 is a path traversal flaw in WWBN AVideo that allows unauthenticated attackers to include arbitrary PHP files, leading to file disclosure and potential remote code execution. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-33513 Overview

WWBN AVideo is an open source video platform that contains a critical path traversal vulnerability in versions up to and including 26.0. An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path without any canonicalization or whitelist validation. This allows attackers to use path traversal sequences to include arbitrary PHP files under the web root, potentially leading to file disclosure, code execution, and in certain scenarios, full remote code execution.

Critical Impact

Unauthenticated attackers can exploit this path traversal vulnerability to disclose sensitive files and execute existing PHP code on the server. If an attacker can place or control a PHP file elsewhere in the directory tree, this can escalate to complete remote code execution. No patched versions are currently available.

Affected Products

  • WWBN AVideo versions up to and including 26.0
  • All installations using the vulnerable APIName=locale endpoint

Discovery Timeline

  • 2026-03-23 - CVE-2026-33513 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33513

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal) and exists within the AVideo platform's API layer. The vulnerable endpoint APIName=locale accepts user-supplied input that is directly concatenated into a file path used in a PHP include statement. The absence of input canonicalization or whitelist validation means that directory traversal sequences such as ../ are accepted and processed without restriction.

The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious requests that traverse the directory structure to include arbitrary PHP files located anywhere under the web root. During testing, researchers confirmed file disclosure and code execution of existing PHP content, such as view/about.php. The vulnerability becomes significantly more severe if an attacker can upload or otherwise place a malicious PHP file on the server, as this would enable full remote code execution.

Root Cause

The root cause is improper input validation in the locale API endpoint. User-controlled input is concatenated directly into file include paths without:

  • Path canonicalization to resolve traversal sequences
  • Whitelist validation to restrict included files to legitimate locales
  • Proper sanitization to strip dangerous path components

This allows attackers to break out of the intended directory and access arbitrary PHP files throughout the web root hierarchy.

Attack Vector

The vulnerability is exploited via network requests to the unauthenticated APIName=locale endpoint. Attackers submit crafted requests containing path traversal sequences (e.g., ../) in the locale parameter. When processed, the server includes the attacker-specified PHP file, executing its code in the context of the web application. The attack requires no special privileges or user interaction, making it highly accessible to remote attackers.

The exploitation path follows this pattern:

  1. Attacker identifies the vulnerable locale API endpoint
  2. Attacker crafts a request with path traversal sequences pointing to a target PHP file
  3. The server processes the request and includes the specified file without validation
  4. PHP code within the included file is executed on the server

For detailed technical information regarding this vulnerability, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33513

Indicators of Compromise

  • HTTP requests to /api/ endpoints containing APIName=locale with path traversal sequences (../)
  • Web server logs showing unusual file access patterns or errors related to file inclusion
  • Unexpected PHP file execution or access to files outside normal application paths
  • Evidence of reconnaissance activity targeting API endpoints

Detection Strategies

  • Monitor web application firewall (WAF) logs for path traversal patterns in API requests
  • Implement intrusion detection rules to flag requests containing ../ sequences to the locale API
  • Review web server access logs for suspicious requests to the APIName=locale endpoint
  • Deploy application-level logging to track file inclusion operations

Monitoring Recommendations

  • Enable verbose logging for API endpoints, particularly those handling locale or file operations
  • Configure alerting for repeated requests with path traversal patterns from single IP addresses
  • Monitor for anomalous PHP file access or execution events in server logs
  • Implement rate limiting on API endpoints to slow down enumeration attempts

How to Mitigate CVE-2026-33513

Immediate Actions Required

  • Restrict access to the APIName=locale endpoint until a patch is available
  • Implement WAF rules to block requests containing path traversal sequences
  • Consider disabling the vulnerable API endpoint entirely if locale functionality is not critical
  • Audit server logs for evidence of exploitation attempts
  • Implement network-level access controls to limit exposure of the AVideo platform

Patch Information

As of the time of publication, no patched versions of WWBN AVideo are available. Organizations should monitor the GitHub Security Advisory for updates on patch availability and apply security updates immediately when released.

Workarounds

  • Use web application firewall (WAF) rules to block requests containing ../ or encoded traversal sequences to API endpoints
  • Implement access control lists (ACLs) to restrict API access to trusted IP addresses only
  • Remove or disable the vulnerable locale API functionality if not required for operations
  • Apply principle of least privilege to web server file system permissions to limit impact of successful exploitation
bash
# Example WAF rule to block path traversal attempts (ModSecurity syntax)
SecRule REQUEST_URI "@contains APIName=locale" "id:1001,phase:1,deny,status:403,chain"
SecRule ARGS "@contains ../" "t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne