Which versions of AVideo are affected by CVE-2026-41304?

AVideo versions 29.0 and below contain an unauthenticated remote code execution vulnerability in the CloneSite plugin that allows attackers to execute arbitrary commands on affected servers without…

AVideo CVE-2026-41304

Q: What is the CVSS score of CVE-2026-41304?

CVE-2026-41304 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.3%.

HIGH

Command Injection (CWE-77)

2026-04-21 GitHub_M

GHSA-xr6f-h4x7-r6qp

PHP RCE Command Injection

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 19:22 vuln.today

cvss_changed

Analysis Generated

Apr 22, 2026 - 00:57 vuln.today

CVSS changed

Apr 22, 2026 - 00:22 NVD

8.9 (HIGH)

Analysis Generated

Apr 21, 2026 - 23:31 vuln.today

CVE Published

Apr 21, 2026 - 23:07 nvd

HIGH 8.9

DescriptionNVD

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.

AnalysisAI

Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. …

RemediationAI

Within 24 hours: Disable or restrict network access to the CloneSite plugin's cloneServer.json.php endpoint until patching is complete; audit access logs for exploitation attempts. Within 7 days: Upgrade AVideo to version 30.0 or later, or apply fix from commit 473c609fc2defdea8b937b00e86ce88eba1f15bb if available in your release branch. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41304 vulnerability details – vuln.today

Back

AVideo CVE-2026-41304

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

AVideo CVE-2026-41304

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code