CVE-2026-29058

CRITICAL
2026-03-06 [email protected] GHSA-9j26-99jh-v26q
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 07:16 nvd
CRITICAL 9.8

Tags

Command Injection Avideo Encoder

Description

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

Analysis

Unauthenticated OS command injection in AVideo before 7.0.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all AVideo deployments and their versions; immediately isolate affected instances from production networks if pre-7.0; enable emergency WAF rules to block base64Url parameter exploitation. Within 7 days: Deploy network segmentation to restrict AVideo server access; implement aggressive input validation and request filtering; conduct forensic analysis for signs of compromise. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2026-29058 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy