EUVD-2026-14484
GHSA-5m4q-5cvx-36mw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
Analysis
WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all AVideo deployments and assess whether they are internet-accessible or used by untrusted users; disable the restreamer endpoint if not operationally critical. Within 7 days: Implement network segmentation to restrict access to AVideo servers and deploy WAF rules blocking suspicious restreamer requests; enforce strict access controls limiting authenticated user privileges. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today