What is the CVSS score of CVE-2026-41064?

CVE-2026-41064 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of WWBN AVideo are affected by CVE-2026-41064?

WWBN AVideo versions up to 29.0 contain a critical unauthenticated remote code execution vulnerability in test.php that allows attackers to execute arbitrary system commands through malformed URL…

WWBN AVideo CVE-2026-41064

CRITICAL

OS Command Injection (CWE-78)

2026-04-21 GitHub_M

GHSA-pq8p-wc4f-vg7j

PHP Command Injection

9.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 19:22 vuln.today

cvss_changed

Analysis Generated

Apr 22, 2026 - 00:57 vuln.today

Analysis Generated

Apr 21, 2026 - 23:31 vuln.today

CVE Published

Apr 21, 2026 - 23:04 nvd

CRITICAL 9.3

DescriptionNVD

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil[.]com. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.

AnalysisAI

Remote code execution in WWBN AVideo up to version 29.0 allows unauthenticated attackers to execute arbitrary system commands via unsanitized URL parameters in test.php. This vulnerability stems from an incomplete fix that sanitized wget calls but left file_get_contents and curl code paths exploitable through regex bypass (accepting strings like 'httpevil[.]com'). …

RemediationAI

Within 24 hours: Identify all WWBN AVideo deployments and confirm versions ≤29.0 in your environment; immediately restrict network access to test.php via firewall or WAF rules blocking any requests to that endpoint. Within 7 days: Monitor upstream WWBN AVideo releases for a patched version incorporating commit 78bccae; test and deploy patched version as soon as available. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41064 vulnerability details – vuln.today

Back

WWBN AVideo CVE-2026-41064

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code