{"url":"http://public2.vulnerablecode.io/api/packages/74391?format=json","purl":"pkg:composer/wwbn/avideo@0.0.0","type":"composer","namespace":"wwbn","name":"avideo","version":"0.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.0","latest_non_vulnerable_version":"25.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50498?format=json","vulnerability_id":"VCID-f5dd-jbd2-9qbn","summary":"AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction\nAn authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality.\n\nThe issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution.","references":[{"reference_url":"https://github.com/WWBN/AVideo","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/WWBN/AVideo"},{"reference_url":"https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/WWBN/AVideo/commit/b739aeeb9ce34aed9961d2c155d597810f8229db"},{"reference_url":"https://github.com/WWBN/AVideo/releases/tag/24.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/WWBN/AVideo/releases/tag/24.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28502","reference_id":"CVE-2026-28502","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28502"},{"reference_url":"https://github.com/advisories/GHSA-v8jw-8w5p-23g3","reference_id":"GHSA-v8jw-8w5p-23g3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v8jw-8w5p-23g3"},{"reference_url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3","reference_id":"GHSA-v8jw-8w5p-23g3","reference_type":"","scores":[],"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3"}],"fixed_packages":[],"aliases":["CVE-2026-28502","GHSA-v8jw-8w5p-23g3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f5dd-jbd2-9qbn"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/wwbn/avideo@0.0.0"}