CVE-2026-33319 - Vulnerability Details

- AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.

Published: 2026-03-22

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises when the uploadVideoToLinkedIn() method builds a shell command by directly inserting a LinkedIn API upload URL without escaping. The resulting OS command injection allows an attacker who can manipulate the API response—including via man‑in‑the‑middle attacks, compromised OAuth tokens, or API compromise—to execute arbitrary commands as the web server user. The impact is full remote code execution and potential system compromise.

Affected Systems

The affected product is WWBN AVideo, an open source video platform, for all versions prior to 26.0. The vulnerability is present in the SocialMediaPublisher plugin's uploadVideoToLinkedIn() routine. Users running AVideo 25.x or earlier are at risk.

Risk and Exploitability

The CVSS base score of 5.9 indicates a medium severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to influence the LinkedIn API response, which might be achieved via network attacks or credential compromise. Because the payload runs as the web server process, the attacker could gain system‑level access if the web server runs with elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`< 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to AVideo version 26.0 or later to apply the fixed command sanitization
If upgrading is not immediately possible, isolate and restrict LinkedIn API traffic, and monitor for suspicious upload URLs

Generated by OpenCVE AI on March 24, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w5ff-2mjc-4phc	AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b
https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc

History

Tue, 24 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Mon, 23 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Sun, 22 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.
Title		AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
Weaknesses		CWE-78
References		https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-22T16:29:08.608Z

Updated: 2026-03-23T11:57:35.208Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33319

Vulnrichment

Updated: 2026-03-23T11:57:24.586Z

NVD

Status : Analyzed

Published: 2026-03-22T17:17:09.573

Modified: 2026-03-24T19:07:50.050

Link: CVE-2026-33319

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:50:32Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object