CVE-2026-33647 Overview
CVE-2026-33647 is a Remote Code Execution (RCE) vulnerability in WWBN AVideo, an open source video platform. The vulnerability exists in the ImageGallery::saveFile() method, which validates uploaded file content using finfo MIME type detection but incorrectly derives the saved filename extension from the user-supplied original filename without implementing an allowlist check. This flaw enables attackers to upload malicious polyglot files that bypass MIME validation while executing as server-side code.
Critical Impact
Authenticated attackers can achieve Remote Code Execution by uploading polyglot files (valid JPEG magic bytes followed by PHP code) with a .php extension, resulting in complete server compromise.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All AVideo installations using the ImageGallery plugin without the security patch
- Self-hosted AVideo deployments with default upload configurations
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33647 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33647
Vulnerability Analysis
The vulnerability stems from a disconnect between file content validation and file extension handling in the ImageGallery plugin. The ImageGallery::saveFile() method performs MIME type validation using PHP's finfo functions to verify that uploaded content appears to be a legitimate image file. However, this validation only examines the file's magic bytes and internal structure—it does not prevent the file from being saved with an arbitrary extension controlled by the attacker.
When an attacker crafts a polyglot file containing valid JPEG header bytes followed by embedded PHP code, the MIME validation passes because finfo identifies the file as image/jpeg based on the initial magic bytes. The method then uses the original filename provided by the user to determine the destination filename, including its extension. Since no allowlist restricts which extensions are permitted, the attacker can specify a .php extension, causing the file to be saved as an executable PHP script in a web-accessible directory.
Root Cause
The root cause is a CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability. The application fails to implement proper extension validation alongside MIME type checking. MIME detection alone is insufficient for security because polyglot files can satisfy MIME checks while still being executable in other contexts. The method trusts user-supplied filename extensions without validation against a secure allowlist of permitted image extensions such as .jpg, .jpeg, .png, or .gif.
Attack Vector
The attack is network-based and requires low-privileged authentication to the AVideo platform. An attacker with upload capabilities can exploit this vulnerability through the following sequence:
- Craft a polyglot file containing valid JPEG magic bytes (\\xFF\\xD8\\xFF\\xE0) at the start
- Append PHP code after the image header (e.g., <?php system($_GET['cmd']); ?>)
- Upload the file through the ImageGallery functionality with a .php extension
- The MIME check passes due to valid image headers
- The file is saved to a web-accessible directory with the .php extension
- Access the uploaded file via web browser to execute arbitrary PHP code
The official security patch addresses this vulnerability by refactoring file upload handling in the ImageGallery plugin:
}
$video = new Video('', '', $videos_id);
- if ($video->getType() != Video::$videoTypeImage && $video->getType() != Video::$videoTypeGallery) {
+ if ($video->getType() != Video::$videoTypeImage && $video->getType() != Video::$videoTypeGallery) {
return true;
}
return false;
Source: GitHub Commit 345a8d3
Detection Methods for CVE-2026-33647
Indicators of Compromise
- PHP files with image magic bytes in upload directories (e.g., files beginning with \\xFF\\xD8\\xFF but having .php extension)
- Unexpected .php, .phtml, or .phar files in the ImageGallery upload directories
- Web server access logs showing direct requests to uploaded PHP files in gallery directories
- Unusual process spawning from the web server user account following file upload activity
Detection Strategies
- Monitor file uploads for mismatches between detected MIME type and file extension
- Implement file integrity monitoring on web-accessible upload directories to detect new executable files
- Configure web application firewalls to flag requests attempting to upload files with executable extensions to image endpoints
- Review web server access logs for requests to PHP files in known upload directories
Monitoring Recommendations
- Enable detailed logging for the ImageGallery plugin upload functionality
- Set up alerts for new PHP file creation in web-accessible directories outside expected paths
- Monitor for outbound connections or unusual command execution originating from the web server process
- Implement real-time file scanning on upload directories for polyglot file patterns
How to Mitigate CVE-2026-33647
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae or later
- Audit existing upload directories for any suspicious files with executable extensions
- Restrict PHP execution in upload directories via web server configuration
- Review user accounts with upload permissions and remove unnecessary access
Patch Information
The vulnerability is addressed in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Organizations should apply this patch immediately by updating their AVideo installation. For detailed patch information, refer to the GitHub Security Advisory GHSA-wxjw-phj6-g75w and the commit containing the fix.
Workarounds
- Disable PHP execution in upload directories by adding php_flag engine off to .htaccess files
- Configure the web server to only serve static content from upload directories
- Implement network-level access controls to restrict who can access the upload functionality
- Use a Web Application Firewall (WAF) rule to block file uploads with executable extensions
# Apache configuration to disable PHP execution in upload directories
<Directory "/var/www/avideo/videos/uploads">
php_flag engine off
<FilesMatch "\.(php|phtml|php3|php4|php5|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
