Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
Published: 2026-04-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an incomplete sanitization of external URLs within AVideo's test.php. While the wget pathway now applies escapeshellarg, the file_get_contents and curl calls remain unsanitized, permitting an attacker to embed shell commands in specially crafted URLs such as httpevil.com. This flaw enables full remote command execution on the host, compromising confidentiality, integrity, and availability through CWE‑78.

Affected Systems

AVideo, an open‑source video platform developed by WWBN, is affected for all releases up to and including version 29.0. The fix addressed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 removes the unsanitized code paths and is present in newer releases.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical vulnerability. EPSS data is presently unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation requires an externally reachable HTTP request to test.php with a malicious URL as input. Once the vulnerable code executes, an attacker achieves full command execution, making the risk high for exposed deployments.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to the fixed version that includes commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 or later, ensuring the file_get_contents and curl code paths are properly sanitized.
  • If an upgrade cannot be performed immediately, restrict or disable external access to the test.php endpoint to prevent exploitation.
  • Enforce stricter URL validation by rejecting patterns like httpevil.com and ensuring that only properly formed HTTP/HTTPS addresses are allowed in the input.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
Title AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:04:32.047Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41064

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.187

Modified: 2026-04-22T00:16:28.187

Link: CVE-2026-41064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses