Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 29.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/57f89ffbc27d37c9d9dd727212334846e78ac21aPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6rc6-p838-686fExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6rc6-p838-686fExploitVendor Advisory
FAQ
What is CVE-2026-40909?
CVE-2026-40909 is a vulnerability with a CVSS score of 8.7 (HIGH). WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path a...
How severe is CVE-2026-40909?
CVE-2026-40909 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40909?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.