WWBN AVideo RCE: Path Traversal Exposes Servers to Arbitrary File Writes
A critical vulnerability, CVE-2026-40909, has been identified in WWBN AVideo, an open-source video platform. According to the National Vulnerability Database, versions 29.0 and prior are susceptible to Remote Code Execution (RCE) due to improper path sanitization. The locale/save.php endpoint directly concatenates user-supplied input ($_POST['flag']) into a file path without validation, allowing for directory traversal (CWE-22).
An attacker with administrative privileges can exploit this flaw. Crucially, the absence of CSRF tokens and the SameSite=None cookie policy mean that even non-admin users could potentially leverage Cross-Site Request Forgery (CSRF) to force an administrator’s browser to execute the attack. This allows the attacker to write arbitrary .php files to any writable location on the filesystem, leading to full RCE.
This isn’t just a theoretical bug; it’s a direct path to server compromise. The National Vulnerability Database assigns it a CVSS score of 8.7 (HIGH), underscoring the severity. The fix is available in commit 57f89ffbc27d37c9d9dd727212334846e78ac21a. Defenders must prioritize patching to prevent complete system takeover.
What This Means For You
- If your organization uses WWBN AVideo versions 29.0 or prior, your servers are vulnerable to Remote Code Execution. Patch immediately to commit `57f89ffbc27d37c9d9dd727212334846e78ac21a` or later. Audit your web server logs for any suspicious file writes in the `locale/` directory or unexpected `.php` files in other writable locations.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40909 - WWBN AVideo Locale Save RCE via Path Traversal
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40909 | RCE | WWBN AVideo versions 29.0 and prior |
| CVE-2026-40909 | Path Traversal | WWBN AVideo endpoint: locale/save.php, parameter: $_POST['flag'] |
| CVE-2026-40909 | Code Injection | WWBN AVideo endpoint: locale/save.php, parameter: $_POST['code'] |
| CVE-2026-40909 | CSRF | WWBN AVideo endpoint: locale/save.php (no CSRF token check, SameSite=None cookies) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 23:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)
CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...
Critical AVideo XSS Vulnerability Exposes Admin Settings
CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...
Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover
CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...