CVE-2026-33483

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The aVideoEncoderChunk.json.php endpoint in AVideo is a standalone PHP script lacking authentication, framework integration, and resource limitations. An unauthenticated remote attacker can send arbitrary POST data to this endpoint, which is then written to persistent temporary files in the /tmp/ directory without any size restrictions, rate limiting, or cleanup mechanisms. This allows for trivial disk space exhaustion, leading to a denial-of-service condition for the entire server. The endpoint is accessible via the /aVideoEncoderChunk.json URL. The php://input stream is used to read the POST body, and the tempnam() function creates temporary files. The response JSON includes the full filesystem path of the created temporary file, potentially disclosing server directory structure. The CORS wildcard header allows exploitation from any webpage via a visitor's browser.

Recommendations Replace objects/aVideoEncoderChunk.json.php with a version that includes authentication, size limits, and cleanup. Ensure the CORS header uses AVideo's configured CORS settings instead of a wildcard. Enforce a size limit for the incoming payload. Implement a cleanup mechanism, such as a cron job or garbage collection, to remove temporary files older than a configurable timeout.