CVE-2026-33513

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.1

Description AVideo, an open source video platform, has an unauthenticated local file inclusion issue in the API locale endpoint. The APIName=locale endpoint concatenates user input into an include path without proper validation or sanitization, allowing path traversal. This enables an attacker to include arbitrary PHP files under the web root, potentially leading to file disclosure and code execution. The vulnerable code resides in plugin/API/API.php, specifically within the get api locale() method (lines ~5009–5023). The vulnerability is triggered by manipulating the language parameter in a GET request to the /plugin/API/get.json.php endpoint. Successful exploitation can lead to confidential data leakage and potential remote code execution if an attacker can place or control a PHP file within the web server's file system.

Recommendations Versions prior to 26.1 should be updated when a patched version is available. As a temporary workaround, consider rejecting path separators and dots in the language parameter and enforcing a strict allowlist of locale slugs. Implement realpath to ensure the target file remains within the expected directory. Stop using include for translations and load data from vetted formats like JSON or arrays. Add authentication (API secret or token) to the endpoint as a secondary control.