Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Published: 2026-03-23
Score: 10 Critical
EPSS: 11.1% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A chain of vulnerabilities in the CloneSite plugin of AVideo allows an unauthenticated attacker to first obtain clone secret keys from the /clones.json.php endpoint. These keys enable a full database dump via /cloneServer.json.php, exposing admin password hashes stored as MD5, which can be cracked with little effort. After gaining administrative credentials, the attacker can exploit an OS command injection flaw in the rsync command construction of /cloneClient.json.php, allowing arbitrary system command execution. This sequence results in complete remote code execution on the underlying server.

Affected Systems

The vulnerability affects the WWBN AVideo platform, all releases up to version 26.0. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 10.0 indicates highest severity, and the EPSS score of 11% suggests low current exploitation probability, though the vulnerability is still actionable. The attack vector is purely unauthenticated HTTP access to the exposed clone endpoints, requiring no prior authentication. Once the admin credentials are obtained from the database dump, the OS command injection enables full compromise. The vulnerability is not yet listed in the CISA KEV catalog, but its high severity warrants immediate attention.

Generated by OpenCVE AI on April 22, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit c85d076375fab095a14170df7ddb27058134d38c to fix the clone plugin vulnerability.
  • Restart AVideo services to ensure the patch takes effect.
  • Update to the latest AVideo release (≥ 27.0) if available and keep monitoring for new advisories.

Generated by OpenCVE AI on April 22, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-687q-32c6-8x68 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
History

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Title AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Weaknesses CWE-284
CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T21:40:58.174Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33478

cve-icon Vulnrichment

Updated: 2026-03-23T21:36:27.359Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:34.063

Modified: 2026-03-24T18:51:55.653

Link: CVE-2026-33478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses