Tag
AVideo versions 29.0 and prior are vulnerable to remote code execution due to unsanitized file path construction in the locale save endpoint, allowing arbitrary PHP file writes by authenticated administrators or those who can CSRF them.