Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
AnalysisAI
WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.
Technical ContextAI
The vulnerability affects WWBN AVideo (cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*), an open-source video streaming and management platform. This is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The restreamer endpoint accepts JSON requests containing users_id and liveTransmitionHistory_id values, which are used to construct log file paths without validation or sanitization. These unsanitized values are then directly concatenated into shell commands passed to PHP's exec() function, allowing shell metacharacters such as backticks, $(), semicolons, or pipe operators to break out of the intended command context and execute arbitrary system commands with the privileges of the web server process.
RemediationAI
Apply the security patch provided in commit 99b865413172045fef6a98b5e9bfc7b24da11678 available at https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678, or upgrade to a version of AVideo newer than 26.0 that incorporates this fix. Review the GitHub Security Advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw for additional guidance from the vendor. Until patching is feasible, implement compensating controls such as restricting access to the restreamer endpoint through web application firewall rules, limiting authenticated user privileges, implementing strict input validation at the network perimeter, and monitoring system logs for suspicious command execution patterns or unexpected process spawning from the web server user context. Consider disabling the restreamer functionality entirely if not required for business operations until the patch can be applied.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14484
GHSA-5m4q-5cvx-36mw