CVE-2026-40909— WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

对路径名的限制不恰当(路径遍历)

WWBN AVideo 安全漏洞

WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在安全漏洞，该漏洞源于locale/save.php中直接拼接$_POST[flag]构建文件路径且未清理，并通过fwrite将$_POST[code]写入该路径，可能导致管理员或通过CSRF的攻击者路径遍历并写入任意PHP文件，实现远程代码执行。

N/A

N/A