CVE-2026-33482

HIGH EPSS 79.0%
Published Mar 23, 20263mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
79.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
wwbnavideo* ≤26.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1
    Patch