CVE-2026-28502

UNKNOWN 0.0

WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

CWE	CWE-434
Vendor	wwbn
Product	avideo
Published	Mar 6, 2026
Last Updated	Mar 6, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WWBN / AVideo

< 24.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3 github.com: https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db github.com: https://github.com/WWBN/AVideo/releases/tag/24.0