CVE-2026-28502 - WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction

CVE ID : CVE-2026-28502 Published : March 6, 2026, 3:04 a.m. | 44 minutes ago Description : WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...