Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
AVideo Plugin Upload Allows Attackers to Run Malicious Code
CVE-2026-28502
GHSA-v8jw-8w5p-23g3
GHSA-v8jw-8w5p-23g3
Summary
AVideo's plugin upload feature allows an attacker with admin credentials to upload a malicious zip file, which can then run code on the server, potentially allowing access to sensitive information, disrupting the server, and giving the attacker full control over the system. To fix this, update to version 23 or disable plugin uploads and prevent PHP execution in the plugin directory if an update can't be done right away.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 21.0 | – |
| wwbn | wwbn/avideo | All versions | – |
Original title
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
Original description
## Summary
An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.
The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.
## Vulnerability Type
- Remote Code Execution (RCE)
- CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Versions
- All versions up to and including 22.x.
## Fixed Version
- A fix is expected to be released in version 23.
## Root Cause
The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.
## Impact
An authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including:
- Confidentiality loss
- Integrity loss
- Availability impact
## Remediation
Upgrade immediately to **AVideo version 23 or later**.
Version 23 introduces improved validation and secure handling of plugin extraction.
## Workarounds
If upgrade is not immediately possible:
- Disable plugin upload/import functionality.
- Configure the web server to prevent execution of PHP files inside plugin upload directories.
An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.
The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.
## Vulnerability Type
- Remote Code Execution (RCE)
- CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Versions
- All versions up to and including 22.x.
## Fixed Version
- A fix is expected to be released in version 23.
## Root Cause
The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.
## Impact
An authenticated administrator could execute arbitrary code on the server, resulting in full system compromise, including:
- Confidentiality loss
- Integrity loss
- Availability impact
## Remediation
Upgrade immediately to **AVideo version 23 or later**.
Version 23 introduces improved validation and secure handling of plugin extraction.
## Workarounds
If upgrade is not immediately possible:
- Disable plugin upload/import functionality.
- Configure the web server to prevent execution of PHP files inside plugin upload directories.
nvd CVSS4.0
9.3
Vulnerability type
CWE-434
Unrestricted File Upload
- https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3
- https://nvd.nist.gov/vuln/detail/CVE-2026-28502
- https://github.com/advisories/GHSA-v8jw-8w5p-23g3
- https://github.com/WWBN/AVideo Product
- https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db
- https://github.com/WWBN/AVideo/releases/tag/24.0
Published: 2 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026