CVE-2026-33513: AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

March 20, 2026 (updated March 23, 2026)

An unauthenticated API endpoint (APIName=locale) concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., view/about.php), and it can escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m
github.com/advisories/GHSA-8fw8-q79c-fp9m
nvd.nist.gov/vuln/detail/CVE-2026-33513

Code Behaviors & Features

Detect and mitigate CVE-2026-33513 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →