{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T18:12:59.127","vulnerabilities":[{"cve":{"id":"CVE-2026-33647","sourceIdentifier":"security-advisories@github.com","published":"2026-03-23T19:16:40.750","lastModified":"2026-03-25T17:54:10.537","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution. Commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contains a patch."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el método 'ImageGallery::saveFile()' valida el contenido de los archivos subidos usando la detección de tipo MIME 'finfo' pero deriva la extensión del nombre de archivo guardado del nombre de archivo original proporcionado por el usuario sin una verificación de lista de permitidos. Un atacante puede subir un archivo políglota (bytes mágicos JPEG válidos seguidos de código PHP) con una extensión '.php'. La verificación MIME pasa, pero el archivo se guarda como un archivo '.php' ejecutable en un directorio accesible por web, logrando Ejecución Remota de Código. El commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae contiene un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"26.0","matchCriteriaId":"774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjw-phj6-g75w","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}