CVE-2026-40909 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: April 21, 2026
WWBN AVideo - Path Traversal & Remote Code Execution
Overview
WWBN AVideo <= 29.0 contains a path traversal and unrestricted file write caused by unsanitized concatenation of user input in locale/save.php, letting admin attackers or CSRF attackers write arbitrary PHP files, exploit requires admin privileges or CSRF of admin.
Severity & Score
Impact
Attackers can write arbitrary PHP files, leading to remote code execution and full server compromise.
Mitigation
Update to the version including commit 57f89ffbc27d37c9d9dd727212334846e78ac21a or later.
References
Social Media Activity(2 posts)
š CVE-2026-40909 - High (8.7) WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST... š https://www.thehackerwire.com/vulnerability/CVE-2026-40909/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40909 - High (8.7) WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST... š https://www.thehackerwire.com/vulnerability/CVE-2026-40909/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40909
- Severity
- High
- CVSS Score
- 8.7
- Type
- path_traversal
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N