CVE-2026-28502: AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction

March 2, 2026 (updated March 6, 2026)

An authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.

The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db
github.com/WWBN/AVideo/releases/tag/24.0
github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3
github.com/advisories/GHSA-v8jw-8w5p-23g3
nvd.nist.gov/vuln/detail/CVE-2026-28502

Code Behaviors & Features

Detect and mitigate CVE-2026-28502 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →