{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33647/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33647","RCE","File Upload","AVideo","Polyglot"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is susceptible to remote code execution (RCE) in versions up to and including 26.0 due to a flaw in the \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method. This vulnerability, identified as CVE-2026-33647, arises from the inadequate validation of uploaded files. Specifically, the system uses \u003ccode\u003efinfo\u003c/code\u003e for MIME type detection but relies on the user-supplied filename extension without proper sanitization. An attacker can leverage this weakness by crafting a polyglot file, embedding malicious PHP code within a seemingly benign JPEG image, and naming it with a \u003ccode\u003e.php\u003c/code\u003e extension. This bypasses the MIME type check, causing the file to be saved as an executable PHP file within a web-accessible directory. The vulnerability was patched in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Successful exploitation grants the attacker the ability to execute arbitrary code on the AVideo server, leading to potential data breaches, system compromise, and service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a polyglot file. This file is a valid JPEG image with PHP code appended. The file is named with a \u003ccode\u003e.php\u003c/code\u003e extension (e.g., \u003ccode\u003eevil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AVideo web interface, specifically the image upload functionality within \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e, to upload the malicious \u003ccode\u003eevil.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method uses \u003ccode\u003efinfo\u003c/code\u003e to check the MIME type of the uploaded file. Because the file starts with JPEG magic bytes, it passes the MIME type check.\u003c/li\u003e\n\u003cli\u003eDue to the missing allowlist on the filename extension, the file is saved with the attacker-controlled \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe file is saved in a web-accessible directory on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file (e.g., \u003ccode\u003ehttps://avideo.example.com/uploads/evil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code embedded within the \u003ccode\u003eevil.php\u003c/code\u003e file, granting the attacker remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33647 allows an attacker to execute arbitrary code on the AVideo server. This can lead to a full system compromise, including the ability to read and modify sensitive data, install malware, pivot to other systems on the network, and disrupt service availability. The impact depends on the privileges of the web server process. Given the nature of video platforms, successful attacks can also lead to defacement and distribution of malicious content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit \u003ccode\u003e345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae\u003c/code\u003e to remediate CVE-2026-33647 immediately.\u003c/li\u003e\n\u003cli\u003eImplement strict allowlisting for file extensions in the \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method to prevent the upload of executable files.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential attempts to exploit CVE-2026-33647 by monitoring for the execution of PHP files within the web server's upload directories.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for suspicious requests to PHP files in upload directories for potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/","summary":"AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.","title":"AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-33647","version":"https://jsonfeed.org/version/1.1"}