CVE-2026-28502

Summary

An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.

The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.

Vulnerability Type

• Remote Code Execution (RCE)
• CWE-434: Unrestricted Upload of File with Dangerous Type

Affected Versions

• All versions up to and including 22.x.

Fixed Version

• A fix is expected to be released in version 23.

Root Cause

The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.

Impact

An authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including:

• Confidentiality loss
• Integrity loss
• Availability impact

Remediation

Upgrade immediately to AVideo version 23 or later.

Version 23 introduces improved validation and secure handling of plugin extraction.

Workarounds

If upgrade is not immediately possible:

• Disable plugin upload/import functionality.
• Configure the web server to prevent execution of PHP files inside plugin upload directories.