CVE-2026-33717: AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

March 25, 2026

The downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL’s filename and extension (including .php). By providing an invalid resolution parameter, an attacker triggers an early die() via forbiddenPage() before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at videos/cache/tmpFile/.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/6da79b43484099a0b660d1544a63c07b633ed3a2
github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952
github.com/advisories/GHSA-8wf4-c4x3-h952
nvd.nist.gov/vuln/detail/CVE-2026-33717

Code Behaviors & Features

Detect and mitigate CVE-2026-33717 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →