Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.

INFO

Published Date :

2026-03-06T03:04:57.497Z

Last Modified :

2026-03-06T16:10:00.643Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28502 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28502.

URL Resource
https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db cve-icon cve-icon
https://github.com/WWBN/AVideo/releases/tag/24.0 cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability