CVE-2026-33717

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension, including .php. Providing an invalid resolution parameter triggers an early die() via forbiddenPage() before the temporary file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at videos/cache/tmpFile/. The function forbiddenPage() is involved in the process.

Recommendations Versions prior to and including 26.0 should be updated to a version containing commit 6da79b43484099a0b660d1544a63c07b633ed3a2. As a temporary workaround, restrict access to the objects/aVideoEncoder.json.php file.