What is the CVSS score of CVE-2026-33717?

CVE-2026-33717 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-33717?

WWBN AVideo installations up to version 26.0 are vulnerable to remote code execution through authenticated file upload manipulation, allowing attackers with valid credentials to execute arbitrary…

PHP CVE-2026-33717

EUVD-2026-14504 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-23 GitHub_M

GHSA-8wf4-c4x3-h952

PHP File Upload

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 19:00 euvd

EUVD-2026-14504

Analysis Generated

Mar 23, 2026 - 19:00 vuln.today

CVE Published

Mar 23, 2026 - 18:48 nvd

HIGH 8.8

DescriptionNVD

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including .php). By providing an invalid resolution parameter, an attacker triggers an early die() via forbiddenPage() before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at videos/cache/tmpFile/. Commit 6da79b43484099a0b660d1544a63c07b633ed3a2 contains a patch.

AnalysisAI

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. …

RemediationAI

Within 24 hours: Identify all WWBN AVideo deployments and document current versions; disable remote file download functionality if operationally feasible. Within 7 days: Implement network-level restrictions limiting file upload endpoints to trusted sources only; conduct access review of authenticated user accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33717 vulnerability details – vuln.today

Back

PHP CVE-2026-33717

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code