Home / Vulnerability Intelligence / CVE-2026-33513

CVE-2026-33513 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 24, 2026

WWBN AVideo - File Inclusion

Published: March 23, 2026Updated: March 24, 2026Remote Exploitable

Overview

WWBN AVideo <= 26.0 contains a file inclusion vulnerability caused by unsanitized user input concatenated into an include path in the unauthenticated API endpoint 'APIName=locale', letting unauthenticated attackers perform file disclosure and potentially remote code execution if they control PHP files, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 15.4%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can disclose files and potentially execute arbitrary PHP code, leading to full server compromise.

Mitigation

Update to the latest version once a patch is available.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 23, 2026

🟠 CVE-2026-33513 - High (8.6) WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33513/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33513
Severity: High
CVSS Score: 8.6
Type: file_inclusion
Status: unconfirmed
EPSS: 15.4%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Score

15.4%Probability of exploitation in the next 30 days