Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Published: 2026-03-23
Score: 8.1 High
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An open‑source video platform contains a flaw in the sanitizeFFmpegCommand() function that removes many shell metacharacters but fails to strip the Bash command substitution syntax $(). The sanitized command is executed via sh -c inside execAsync(), so a crafted encrypted ffmpeg payload can cause arbitrary command execution on the standalone encoder server, compromising confidentiality, integrity, and availability.

Affected Systems

The affected vendor is WWBN, product AVideo. Versions up to and including 26.0 contain the vulnerability; newer releases include the patched implementation.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of 2% suggests a modest probability of exploitation, though lower than many high‑profile vulnerabilities. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector requires the attacker to submit a crafted encrypted ffmpeg payload to the standalone encoder, which then executes the command via a double‑quoted sh -c context. Therefore, if the standalone encoder is reachable from an attacker or if an attacker has the ability to supply such a payload, arbitrary command execution is possible, illustrating a remote exploitation scenario.

Generated by OpenCVE AI on June 18, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security fix from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 or upgrade to a newer AVideo release that includes the patch
  • Restrict external access to the standalone encoder server to trusted administrators and monitor logs for suspicious encrypted payload activity
  • If ffmpeg command execution is not required for normal operation, disable or remove the functionality to eliminate the attack surface

Generated by OpenCVE AI on June 18, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmj8-r2j7-xg6c AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
History

Tue, 24 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Title AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T18:08:31.712Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33482

cve-icon Vulnrichment

Updated: 2026-03-23T18:08:13.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:34.560

Modified: 2026-06-17T10:37:34.483

Link: CVE-2026-33482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:00:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')