CVE-2026-40909

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0

Description The locale save endpoint "locale/save.php" constructs a file path by directly concatenating the flag parameter into the path without sanitization. The code parameter is then written to that path using the fwrite() function. An attacker with administrative privileges, or a user capable of performing a Cross-Site Request Forgery (CSRF) attack against an administrator, can use path traversal to write arbitrary .php files to any writable location on the filesystem, leading to Remote Code Execution (RCE), which is the ability to execute arbitrary commands on the target machine.

Recommendations Update to a version later than 29.0. As a temporary workaround, restrict access to the "locale/save.php" endpoint.