AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)
AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.
AVideo, an open-source video platform, is susceptible to remote code execution (RCE) in versions up to and including 26.0 due to a flaw in the ImageGallery::saveFile() method. This vulnerability, identified as CVE-2026-33647, arises from the inadequate validation of uploaded files. Specifically, the system uses finfo for MIME type detection but relies on the user-supplied filename extension without proper sanitization. An attacker can leverage this weakness by crafting a polyglot file, embedding malicious PHP code within a seemingly benign JPEG image, and naming it with a .php extension. This bypasses the MIME type check, causing the file to be saved as an executable PHP file within a web-accessible directory. The vulnerability was patched in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Successful exploitation grants the attacker the ability to execute arbitrary code on the AVideo server, leading to potential data breaches, system compromise, and service disruption.
Attack Chain
- The attacker identifies an AVideo instance running a vulnerable version (<= 26.0).
- The attacker crafts a polyglot file. This file is a valid JPEG image with PHP code appended. The file is named with a
.phpextension (e.g.,evil.php). - The attacker uses the AVideo web interface, specifically the image upload functionality within
ImageGallery::saveFile(), to upload the maliciousevil.phpfile. - The
ImageGallery::saveFile()method usesfinfoto check the MIME type of the uploaded file. Because the file starts with JPEG magic bytes, it passes the MIME type check. - Due to the missing allowlist on the filename extension, the file is saved with the attacker-controlled
.phpextension. - The file is saved in a web-accessible directory on the AVideo server.
- The attacker sends an HTTP request to the uploaded PHP file (e.g.,
https://avideo.example.com/uploads/evil.php). - The web server executes the PHP code embedded within the
evil.phpfile, granting the attacker remote code execution on the server.
Impact
Successful exploitation of CVE-2026-33647 allows an attacker to execute arbitrary code on the AVideo server. This can lead to a full system compromise, including the ability to read and modify sensitive data, install malware, pivot to other systems on the network, and disrupt service availability. The impact depends on the privileges of the web server process. Given the nature of video platforms, successful attacks can also lead to defacement and distribution of malicious content.
Recommendation
- Apply the patch from commit
345a8d3ece0ad1e1b71a704c1579cbf885d8f3aeto remediate CVE-2026-33647 immediately. - Implement strict allowlisting for file extensions in the
ImageGallery::saveFile()method to prevent the upload of executable files. - Deploy the provided Sigma rule to detect potential attempts to exploit CVE-2026-33647 by monitoring for the execution of PHP files within the web server's upload directories.
- Review webserver logs for suspicious requests to PHP files in upload directories for potential exploitation attempts (log source: webserver).
Detection coverage 2
Detect Access to Suspicious PHP File Uploads
highDetects HTTP requests to PHP files within common web server upload directories, indicating potential exploitation of file upload vulnerabilities like CVE-2026-33647.
Detect Web Server Process Creating PHP Files in Upload Directory
highDetects the creation of PHP files within a web server's upload directory, which may indicate an attempt to upload a malicious file for remote code execution.
Detection queries are available on the platform. Get full rules →