Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Type: Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands. File: plugin/Live/on_publish.php, line 267. Root cause: the developer wrapped each variable in literal single quotes ('$users_id', '$m3u8', '$obj->liveTransmitionHistory_id') believing this provides shell-quoting. PHP single-quoted-into-shell is not safe quoting; it is just two literal quote characters that the shell pairs greedily. Any embedded ' closes the outer string and resumes interpretation in the shell. The rest of the AVideo codebase already calls escapeshellarg() (137 call sites across the project) for ffmpeg invocations, so the safe primitive is well-known to the project; it was simply omitted from this branch. The endpoint is web-reachable (no .htaccess rule restricts on_publish.php, no REMOTE_ADDR check), so the trigger is a direct HTTP POST without going through nginx-rtmp.
Affected Code
File: plugin/Live/on_publish.php, lines 256-271.
if (AVideoPlugin::isEnabledByName('YPTSocket')) {
$array = setLiveKey($lth->getKey(), $lth->getLive_servers_id());
@ob_clean();
_ob_start();
$lth = new LiveTransmitionHistory($obj->liveTransmitionHistory_id);
$m3u8 = Live::getM3U8File($lth->getKey(), false, true); // value-carrying URL: contains the stream key verbatim
$users_id = $obj->row['users_id'];
$liveTransmitionHistory_id = $obj->liveTransmitionHistory_id;
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
include "{$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php";
} else {
$command = get_php(). " {$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php '$users_id' '$m3u8' '{$obj->liveTransmitionHistory_id}'"; // <-- BUG: literal quotes, no escapeshellarg
$pid = execAsync($command); // sink: shell exec
}
}Live::getM3U8File($key, false, true) (Live.php:1337-1350 -> Live.php:4845-4889) returns "{$playerServer}{$uuid}.m3u8" (or "{$playerServer}{$uuid}/index.m3u8") where $uuid = $this->getKeyWithIndex(...) is the stream key string read straight out of the live_transmitions table. There is no character normalisation between database read and command construction.
Why it's wrong: '$m3u8' is not shell quoting. PHP interpolates $m3u8 into the string between two literal ' characters. The shell then tokenises the result. If $m3u8 contains ' itself, the shell sees '…' followed by <attacker bytes> followed by another ', which forms two adjacent quoted strings concatenated with whatever the attacker put between them. Embedded ;, backticks, $(), &&, |, or \n then run as shell commands. The fix is escapeshellarg(), which AVideo already uses 137 times in ffmpeg invocations (e.g. getVideos.php:1069, videos.json.php, aVideoEncoder.json.php); this branch simply forgot it.
Exploit Chain
- Attacker authenticates and arranges for one of the command variables to contain
'. Under the current code the readily available primitive is acanStreamuser supplying a stream key via the persistence path (saveLive.php's$_REQUEST['key']is written verbatim tolive_transmitions.key). State: a row exists withkey = "evilkey';id>/tmp/pwn;#". - Attacker POSTs directly to
https://target/plugin/Live/on_publish.php(the file is web-served, no IP restriction) with body:
name=evilkey';id>/tmp/pwn;
#
p=<md5(attacker_password)>
tcurl=rtmp://target/live
addr=1.2.3.4on_publish.php:117 runs preg_replace("/[&=]/", '', $_POST['name']) - only &/= are stripped, so ';id>/tmp/pwn;# survives. Lines 143-163 confirm $_GET['p'] === $user->getPassword() (the attacker is themself, knows their own MD5), persist a LiveTransmitionHistory row with the poisoned key, and set $obj->error = false. State: authorisation gate passed.
- Line 261 calls
Live::getM3U8File($lth->getKey(), false, true), returning"https://server/live/evilkey';id>/tmp/pwn;#.m3u8". State:$m3u8carries the injection payload. - Line 267 builds the command string by concatenation:
php /var/www/AVideo/plugin/Live/on_publish_socket_notification.php '7' 'https://server/live/evilkey';id>/tmp/pwn;#.m3u8' '42'Shell tokenisation sees: php, …/on_publish_socket_notification.php, '7', 'https://server/live/evilkey' (the attacker's ' closed the second quote), then operator ;, then command-2 id>/tmp/pwn, then ;, then #.m3u8' '42' (everything after # is a comment). State: the shell has parsed two real commands.
- Line 269
execAsync($command)spawns the shell, which runs the secondary commandid>/tmp/pwnas the AVideo PHP-FPM/Apache user. State: arbitrary OS command execution with the privileges of the web-server runtime user. - Final state: the attacker reads
/tmp/pwn, swaps the payload for a reverse shell, exfiltratesvideos/configuration.php(database password and root URL), drops a webshell into the upload tree, or pivots to other plugin credentials (PayPal/Stripe API keys, AWS keys for the CDN plugin, OpenAI key for the AI plugin).
Security Impact
Severity: sec-high. Pre-auth-friendly remote code execution: the only prerequisite is that the attacker can place a ' into one of the three command-line variables, which on a streaming platform means a single low-privilege account. Attacker capability: with one canStream account and two HTTP requests, the attacker executes arbitrary shell commands as the AVideo runtime user. From there: read database credentials, exfiltrate user data, write a webshell into a publicly-served path, pivot to plugin credentials, persist via cron, or escalate via any local sudoers entries. Preconditions: AVideo deployment with Live and YPTSocket plugins enabled (the standard live-streaming bundle); attacker can reach /plugin/Live/on_publish.php over the network; a value containing ' is reachable into users_id, m3u8, or liveTransmitionHistory_id (the current code lets canStream users supply such a value via the stream-key persistence path). Differential: source-inspection-verified end-to-end. The shell-tokenising behaviour of '…'…'…' is reproducible offline:
$ s="php /a/b.php '7' 'https://s/live/evilkey';id>/tmp/pwn;#.m3u8' '42'"
$ rm -f /tmp/pwn; bash -c "$s" 2>/dev/null; ls -l /tmp/pwn
-rw-r--r-- 1 user user N <date> /tmp/pwn
# injected `id` ran, output capturedThe patched build (with the suggested escapeshellarg() fix below applied) constructs php /a/b.php '7' 'https://s/live/evilkey'\''id>/tmp/pwn;#.m3u8' '42', which the shell parses as a single argument containing the literal characters; the second command never runs.
Suggested Fix
Use escapeshellarg() on every variable interpolated into the command string. This matches established project conventions (137 other call sites for ffmpeg invocations).
--- a/plugin/Live/on_publish.php
+++ b/plugin/Live/on_publish.php
@@ -264,7 +264,11 @@
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
include "{$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php";
} else {
- $command = get_php(). " {$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php '$users_id' '$m3u8' '{$obj->liveTransmitionHistory_id}'";
+ $command = get_php()
+ . ' ' . escapeshellarg($global['systemRootPath'] . 'plugin/Live/on_publish_socket_notification.php')
+ . ' ' . escapeshellarg((string) $users_id)
+ . ' ' . escapeshellarg((string) $m3u8)
+ . ' ' . escapeshellarg((string) $obj->liveTransmitionHistory_id);
_error_log("NGINX Live::on_publish YPTSocket start ($command)");
$pid = execAsync($command);
}Defence-in-depth: on_publish.php is the nginx-rtmp webhook and should not be reachable from the public Internet. Add an .htaccess/nginx location rule restricting the file to 127.0.0.1 and any configured RTMP server IPs. That blocks the trigger path independently of the sanitisation work.
AnalysisAI
Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.
Technical ContextAI
AVideo is a PHP-based video streaming platform that integrates with nginx-rtmp for live streaming. The vulnerability resides in the Live plugin's on_publish.php webhook, which is triggered during stream publishing events. When the YPTSocket plugin is enabled, the code constructs a shell command by concatenating user-controlled values wrapped in literal single quotes without using PHP's escapeshellarg() function. The root cause is CWE-78 (OS Command Injection) - the developer incorrectly assumed that wrapping variables in single quotes ('$variable') provides shell escaping, but this merely adds literal quote characters that can be closed by an embedded single quote in the input. The codebase already uses escapeshellarg() correctly in 137 other locations for ffmpeg invocations, making this an isolated implementation error.
RemediationAI
No vendor-released patch identified at time of analysis. The advisory provides a detailed code fix using escapeshellarg() for all interpolated variables, which should be applied manually to plugin/Live/on_publish.php. As an immediate mitigation, restrict access to /plugin/Live/on_publish.php via .htaccess or nginx location rules to only allow connections from 127.0.0.1 and configured RTMP server IPs, blocking the primary attack vector. Additionally, review and restrict which users have canStream permissions, as this privilege gates the ability to set malicious stream keys. Monitor for stream keys containing shell metacharacters like single quotes, semicolons, or backticks as potential exploitation attempts.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33310
GHSA-xw67-cg5f-4m2r