Skip to main content

Avideo EUVDEUVD-2026-14484

| CVE-2026-33648 HIGH
OS Command Injection (CWE-78)
2026-03-23 GitHub_M GHSA-5m4q-5cvx-36mw
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 18:45 euvd
EUVD-2026-14484
Analysis Generated
Mar 23, 2026 - 18:45 vuln.today
CVE Published
Mar 23, 2026 - 18:25 nvd
HIGH 8.8

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.

AnalysisAI

WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Technical ContextAI

The vulnerability affects WWBN AVideo (cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*), an open-source video streaming and management platform. This is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The restreamer endpoint accepts JSON requests containing users_id and liveTransmitionHistory_id values, which are used to construct log file paths without validation or sanitization. These unsanitized values are then directly concatenated into shell commands passed to PHP's exec() function, allowing shell metacharacters such as backticks, $(), semicolons, or pipe operators to break out of the intended command context and execute arbitrary system commands with the privileges of the web server process.

RemediationAI

Apply the security patch provided in commit 99b865413172045fef6a98b5e9bfc7b24da11678 available at https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678, or upgrade to a version of AVideo newer than 26.0 that incorporates this fix. Review the GitHub Security Advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw for additional guidance from the vendor. Until patching is feasible, implement compensating controls such as restricting access to the restreamer endpoint through web application firewall rules, limiting authenticated user privileges, implementing strict input validation at the network perimeter, and monitoring system logs for suspicious command execution patterns or unexpected process spawning from the web server user context. Consider disabling the restreamer functionality entirely if not required for business operations until the patch can be applied.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

EUVD-2026-14484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy