CVE-2026-28502

Description

## Summary An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. ## Vulnerability Type - Remote Code Execution (RCE) - CWE-434: Unrestricted Upload of File with Dangerous Type ## Affected Versions - All versions up to and including 22.x. ## Fixed Version - A fix is expected to be released in version 23. ## Root Cause The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts. ## Impact An authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including: - Confidentiality loss - Integrity loss - Availability impact ## Remediation Upgrade immediately to **AVideo version 23 or later**. Version 23 introduces improved validation and secure handling of plugin extraction. ## Workarounds If upgrade is not immediately possible: - Disable plugin upload/import functionality. - Configure the web server to prevent execution of PHP files inside plugin upload directories.

Affected packages (1)

• Packagist/wwbn/avideofrom 0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28502
• PATCHhttps://github.com/WWBN/AVideo
• WEBhttps://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db
• WEBhttps://github.com/WWBN/AVideo/releases/tag/24.0
• WEBhttps://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3