CVE-2026-28502

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 24.0

Description AVideo is an open source video platform. A Remote Code Execution (RCE) issue was identified in the plugin upload/import functionality. An authenticated administrator could upload a specially crafted ZIP archive containing executable server-side files. Insufficient validation of extracted file contents allowed the archive to be extracted directly into a web-accessible plugin directory, enabling arbitrary PHP code execution. The issue allows for full system compromise, including confidentiality, integrity, and availability impact. The system validated only the ZIP extension of uploaded plugin packages but did not enforce a strict allowlist of file types within the archive. Extracted files were placed directly in a web-accessible directory without preventing execution of server-side scripts.

Recommendations Upgrade to AVideo version 24.0 or later. Disable plugin upload/import functionality. Configure the web server to prevent execution of PHP files inside plugin upload directories.