Description
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. This vulnerability affects the function Execute of the file /internal/service/ffmpeg/ffmpeg.go. The manipulation leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via argument injection
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the Execute function of welovemedia FFmate, permitting an attacker to inject arbitrary arguments into the underlying ffmpeg command line. This can lead to execution of unintended commands, compromising confidentiality, integrity, and availability of the affected system. The flaw aligns with CWE-74 (Command Injection) and CWE-88 (Command Injection via External Input).

Affected Systems

Welovemedia FFmate version 2.0.15 and earlier are affected. No specific patch or upgrade path is disclosed by the vendor, and the vendor has not responded to the vulnerability notification.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level. EPSS is reported as less than 1%, suggesting a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring network access to the FFmate service, where an attacker can submit crafted inputs to the Execute endpoint to trigger the injection.

Generated by OpenCVE AI on April 16, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a newer version of FFmate that omits the vulnerable Execute function as soon as an update is released by the vendor.
  • Restrict network exposure of the FFmate service by applying firewall rules or placing it behind a reverse proxy, limiting access to trusted hosts only.
  • Monitor FFmpeg command logs for anomalous or unexpected arguments and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 16, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Welovemedia
Welovemedia ffmate
Vendors & Products Welovemedia
Welovemedia ffmate

Sat, 07 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. This vulnerability affects the function Execute of the file /internal/service/ffmpeg/ffmpeg.go. The manipulation leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title welovemedia FFmate ffmpeg.go Execute argument injection
Weaknesses CWE-74
CWE-88
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Welovemedia Ffmate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T16:27:45.959Z

Reserved: 2026-03-06T21:29:32.815Z

Link: CVE-2026-3682

cve-icon Vulnrichment

Updated: 2026-03-11T16:22:49.774Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-08T00:16:13.780

Modified: 2026-03-09T13:35:07.393

Link: CVE-2026-3682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:30:13Z

Weaknesses