CVE-2026-33293: Php RCE — Patch Guide

Vendor-confirmed - CVE-2026-33293 is a high arbitrary file-deletion vulnerability in WWBN AVideo prior to 26.0 that lets authenticated attackers delete critical server files, causing complete denial of service. Upgrade to version 26.0 to remediate.

Overview

A significant security vulnerability, tracked as CVE-2026-33293, has been discovered in the WWBN AVideo open-source video platform. This flaw allows an attacker with valid clone-site credentials to delete arbitrary files on the server, potentially crippling the entire application.

Vulnerability Details

In versions of WWBN AVideo prior to 26.0, a specific function within the clone-site feature is improperly secured. The deleteDump parameter in the file plugin/CloneSite/cloneServer.json.php is not validated or sanitized before being used. This parameter is passed directly to the unlink() PHP function, which is responsible for deleting files.

An attacker can exploit this by submitting path traversal sequences (like ../../) in the parameter. This tricks the system into escaping the intended directory and navigating to other locations on the server’s file system.

Impact and Risks

The impact of this vulnerability is severe (CVSS score 8.1, HIGH). A successful attack can lead to:

• Complete Denial of Service: An attacker can delete critical application files, such as configuration.php. Without this file, the AVideo platform will fail to operate, causing a total service outage.
• Further System Compromise: By deleting security-critical files, an attacker could weaken the system’s defenses, potentially enabling additional attacks or making it easier to gain further unauthorized access.
• Data Loss: While the primary function is deletion, the destruction of configuration or log files can hinder recovery efforts and forensic analysis.

This type of vulnerability is a common vector in major security incidents, underscoring the importance of prompt patching. For context on how such flaws contribute to larger breaches, you can review historical incidents in our breach reports.

Remediation and Mitigation

The vendor has released a fix in WWBN AVideo version 26.0. This is the only complete solution.

Action Required:

1. Immediate Upgrade: All administrators must upgrade their installations to version 26.0 or later without delay.
2. Inventory and Credential Review: Review and audit accounts with “clone” privileges. Ensure the principle of least privilege is followed and that credentials are secure.
3. Post-Upgrade Verification: After upgrading, verify the integrity of critical application files, especially configuration.php, to ensure they were not tampered with before the patch was applied.

There is no effective workaround for this vulnerability without applying the official patch. Relying on network security controls alone is insufficient, as the attack originates from an authenticated user within the application itself.

Staying informed about such vulnerabilities is crucial for maintaining a strong security posture. For the latest updates on threats and patches, follow our security news.