Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Published: 2026-03-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch Immediately
AI Analysis

Impact

An open‑source video platform contains a flaw in the sanitizeFFmpegCommand() function that removes many shell metacharacters but fails to strip the Bash command substitution syntax $(). The sanitized command is executed via sh -c inside execAsync(), so a crafted encrypted ffmpeg payload can cause arbitrary command execution on the standalone encoder server, compromising confidentiality, integrity, and availability.

Affected Systems

The affected vendor is WWBN, product AVideo. Versions up to and including 26.0 contain the vulnerability; newer releases include the patched implementation.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. EPSS is below 1%, suggesting low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. If the standalone encoder is accessible from the internet or an attacker can submit a valid encrypted ffmpeg payload, execution of arbitrary shell commands is possible, implying a remote attack vector.

Generated by OpenCVE AI on March 24, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security fix from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 or upgrade to a newer AVideo release that includes the patch
  • Restrict external access to the standalone encoder server to trusted administrators and monitor logs for suspicious encrypted payload activity
  • If ffmpeg command execution is not required for normal operation, disable or remove the functionality to eliminate the attack surface

Generated by OpenCVE AI on March 24, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmj8-r2j7-xg6c AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
History

Tue, 24 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Title AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T18:08:31.712Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33482

cve-icon Vulnrichment

Updated: 2026-03-23T18:08:13.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:34.560

Modified: 2026-03-24T18:41:00.410

Link: CVE-2026-33482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:02Z

Weaknesses