📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. As of time of publication, no patched versions are available.
🤖 AI Executive Summary
CVE-2026-33513 is a critical path traversal vulnerability in WWBN AVideo versions up to 26.0 affecting an unauthenticated API endpoint that allows arbitrary PHP file inclusion and disclosure. The vulnerability enables attackers to read sensitive files and execute existing PHP code without authentication, with potential for remote code execution if file upload capabilities are exploited. No patches are currently available, making immediate mitigation through access controls essential for affected Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 02:49
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WWBN AVideo for video content management and streaming. Most at-risk sectors include: Government agencies and ministries using AVideo for internal communications and training; Educational institutions (universities, technical colleges) hosting video content; Media and broadcasting companies; Healthcare organizations using video for telemedicine and training; Corporate training departments. The unauthenticated nature of the vulnerable endpoint makes it particularly dangerous as it requires no credentials to exploit. Organizations in the Kingdom relying on AVideo for sensitive content distribution face risks of data breach, intellectual property theft, and system compromise.
🏢 Affected Saudi Sectors
Government and Public Administration
Education and Universities
Healthcare and Telemedicine
Media and Broadcasting
Corporate Training and Development
Financial Services (for video content management)
Telecommunications
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable or restrict access to the vulnerable APIName=locale endpoint at the web application firewall (WAF) or reverse proxy level
2. Implement IP whitelisting for API access if AVideo is used internally
3. Conduct forensic analysis of web server logs for suspicious requests containing path traversal patterns (../, ..\, encoded variants)
4. Review file access logs for unauthorized PHP file reads
COMPENSATING CONTROLS:
1. Deploy WAF rules blocking requests with path traversal payloads to the /api/ endpoint
2. Implement strict input validation at the reverse proxy level rejecting any locale parameter containing path traversal sequences
3. Restrict web server file permissions so PHP files outside intended directories are not readable by the web process
4. Disable PHP execution in upload directories and temporary directories
5. Monitor for suspicious API calls: GET requests to /api/ with locale parameter containing ../ or encoded equivalents
DETECTION RULES:
- Alert on APIName=locale requests containing: ../, ..\ , %2e%2e, %252e, or URL-encoded path traversal variants
- Monitor for include() or require() function calls with user-controlled input in application logs
- Track access to sensitive PHP files (config.php, database connection files) via web server logs
- Implement SIEM rules for multiple 200 responses followed by 403/404 patterns indicating file enumeration
PATCHING GUIDANCE:
- Monitor WWBN AVideo GitHub repository and security advisories for patch release
- Prepare upgrade plan to patched version immediately upon availability
- Consider alternative video platforms if patch timeline extends beyond 30 days
- If upgrade not feasible, implement complete API endpoint disabling via configuration or code modification
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل أو تقييد الوصول إلى نقطة النهاية APIName=locale الضعيفة على مستوى جدار الحماية (WAF) أو وكيل عكسي
2. تطبيق قائمة بيضاء للعناوين IP لوصول API إذا كان AVideo مستخدماً داخلياً
3. إجراء تحليل جنائي لسجلات خادم الويب للطلبات المريبة التي تحتوي على أنماط اجتياز المسارات
4. مراجعة سجلات الوصول للملفات للقراءات غير المصرح بها
الضوابط البديلة:
1. نشر قواعد WAF تحجب الطلبات التي تحتوي على حمولات اجتياز المسارات
2. تطبيق التحقق الصارم من المدخلات على مستوى الوكيل العكسي
3. تقييد أذونات ملفات خادم الويب بحيث لا يمكن قراءة ملفات PHP خارج الدلائل المقصودة
4. تعطيل تنفيذ PHP في دلائل التحميل والدلائل المؤقتة
5. مراقبة استدعاءات API المريبة
قواعد الكشف:
- تنبيهات على طلبات APIName=locale تحتوي على أنماط اجتياز المسارات
- مراقبة الوصول إلى ملفات PHP الحساسة عبر سجلات خادم الويب
- تطبيق قواعد SIEM للكشف عن محاولات تعداد الملفات
إرشادات التصحيح:
- مراقبة مستودع WWBN AVideo للحصول على إصدار مصحح
- تحضير خطة ترقية فورية عند توفر التصحيح
- النظر في منصات فيديو بديلة إذا امتد الجدول الزمني للتصحيح
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Rights
A.7.1.1 - Cryptography Policy
A.8.1.1 - Audit Logging
A.8.2.1 - Protection of Log Information
A.9.1.1 - Malware Protection
A.10.1.1 - Vulnerability Management
🔵 SAMA CSF
Governance - Policy and Risk Management
Governance - Third-party Risk Management
Protective - Access Control
Protective - Data Protection
Protective - Vulnerability Management
Detective - Monitoring and Logging
Detective - Threat Detection
🟡 ISO 27001:2022
5.3 - Access Control
6.5.1 - Information Security in Supplier Relationships
8.1.1 - Information Security Responsibility
8.2.1 - User Registration and Access Rights
8.2.3 - Management of Privileged Access Rights
8.3.1 - User Password Management
8.3.2 - Review of User Access Rights
8.3.3 - Password Management System
8.3.4 - Review of Information Access Rights
8.3.5 - Access Rights Removal or Adjustment
8.4.1 - Information Security in Change Management
8.4.2 - Review of Information Security Aspects of Change Management
8.4.3 - Restrictions on Changes to Information Processing Facilities
8.4.4 - Information Security Aspects of System Decommissioning
8.4.5 - Redundancy of Information Processing Facilities
8.4.6 - Back-up
8.4.7 - Redundancy of Information and Communication Networks
8.4.8 - Exchange of Information
8.4.9 - Electronic Messaging
8.4.10 - Segregation of Networks
8.4.11 - Network Security
8.4.12 - Boundary Protection
8.4.13 - Segregation of Information Networks
8.4.14 - Network Connection Control
8.4.15 - Access Control to Network Services
8.4.16 - Segregation of Network Services
8.4.17 - Monitoring
8.4.18 - Mobile Device Management
8.4.19 - Teleworking
8.4.20 - Information Security of Cloud Services
8.4.21 - Polyinstantiation and Mixedobject Classification
8.4.22 - Information Security Incident Management
8.4.23 - Information Security Event Logging
8.4.24 - Administrator and Operator Logs
8.4.25 - Clock Synchronization
8.4.26 - Installation of Software on Operational Systems
8.4.27 - Information Systems Audit Considerations
8.4.28 - Protection of Information Systems Audit Tools
8.4.29 - Restrictions on the Installation of Software
8.4.30 - Information Security Event Logging
8.4.31 - Logging User Activities
8.4.32 - Monitoring System Use
8.4.33 - Protection of Log Information
8.4.34 - Administrator and Operator Logs
8.4.35 - Fault Logging
8.4.36 - Fault Logging
8.4.37 - Audit Tool Protection
8.4.38 - Restrictions on the Use of Audit Tools
8.4.39 - Segregation of Duties
8.4.40 - Segregation of Development, Test and Operational Environments
8.4.41 - Change Control
8.4.42 - Review of Information Security Aspects of Change Management
8.4.43 - Restrictions on Changes to Information Processing Facilities
8.4.44 - Information Security Aspects of System Decommissioning
8.4.45 - Redundancy of Information Processing Facilities
8.4.46 - Back-up
8.4.47 - Redundancy of Information and Communication Networks
8.4.48 - Exchange of Information
8.4.49 - Electronic Messaging
8.4.50 - Segregation of Networks
8.4.51 - Network Security
8.4.52 - Boundary Protection
8.4.53 - Segregation of Information Networks
8.4.54 - Network Connection Control
8.4.55 - Access Control to Network Services
8.4.56 - Segregation of Network Services
8.4.57 - Monitoring
8.4.58 - Mobile Device Management
8.4.59 - Teleworking
8.4.60 - Information Security of Cloud Services
📦 Affected Products / CPE 1 entries
wwbn:avideo