GHSA-V8JW-8W5P-23G3

Vulnerability from github – Published: 2026-03-02 20:56 – Updated: 2026-03-06 14:24
VLAI
Summary
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
Details

Summary

An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.

The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.

Vulnerability Type

  • Remote Code Execution (RCE)
  • CWE-434: Unrestricted Upload of File with Dangerous Type

Affected Versions

  • All versions up to and including 22.x.

Fixed Version

  • A fix is expected to be released in version 23.

Root Cause

The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.

Impact

An authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including: - Confidentiality loss - Integrity loss - Availability impact

Remediation

Upgrade immediately to AVideo version 23 or later.

Version 23 introduces improved validation and secure handling of plugin extraction.

Workarounds

If upgrade is not immediately possible: - Disable plugin upload/import functionality. - Configure the web server to prevent execution of PHP files inside plugin upload directories.

Severity
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 21.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T20:56:52Z",
    "nvd_published_at": "2026-03-06T04:16:08Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\nAn authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.\n\nThe issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.\n\n## Vulnerability Type\n- Remote Code Execution (RCE)\n- CWE-434: Unrestricted Upload of File with Dangerous Type\n\n## Affected Versions\n- All versions up to and including 22.x.\n\n## Fixed Version\n- A fix is expected to be released in version 23.\n\n## Root Cause\nThe system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.\n\n## Impact\nAn authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including:\n- Confidentiality loss\n- Integrity loss\n- Availability impact\n\n## Remediation\nUpgrade immediately to **AVideo version 23 or later**.\n\nVersion 23 introduces improved validation and secure handling of plugin extraction.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Disable plugin upload/import functionality.\n- Configure the web server to prevent execution of PHP files inside plugin upload directories.",
  "id": "GHSA-v8jw-8w5p-23g3",
  "modified": "2026-03-06T14:24:02Z",
  "published": "2026-03-02T20:56:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28502"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/releases/tag/24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.