EUVD-2026-14480
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
Analysis
WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WWBN AVideo instances and versions; assess whether any run version 26.0 or earlier. Within 7 days: Implement WAF rules blocking suspicious locale API requests with path traversal patterns (../ sequences); restrict API endpoint access to trusted IP ranges if possible; disable the locale API endpoint if not critical to operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today