Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Published: 2026-04-21
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability originates in the cloneSite plugin of WWBN AVideo when it constructs and executes a wget command via exec() with user-controlled input from the url parameter. This allows an attacker to inject arbitrary shell commands by inserting shell metacharacters, leading to Remote Code Execution on the server. The weakness is a classic command injection flaw (CWE‑77) that directly compromises confidentiality, integrity, and availability of the host system.

Affected Systems

WWBN AVideo, specifically the CloneSite plugin, is affected in all releases 29.0 and older. The vulnerable endpoint cloneServer.json.php is included in these versions.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity, and while an EPSS score of 1% indicates a low probability of exploitation, the lack of KEV listing does not diminish the risk of exploitation. It is inferred that the flaw can be exploited remotely via any network exposed instance of the vulnerable endpoint, requiring only a crafted URL. The vulnerability does not depend on local privileges and can execute arbitrary commands with the permissions of the web server process.

Generated by OpenCVE AI on April 22, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version newer than 29.0, applying commit 473c609fc2defdea8b937b00e86ce88eba1f15bb or the official patch that sanitizes the cloneServer.json.php input.
  • If the CloneSite plugin is not essential, disable or uninstall it to remove the vulnerable endpoint entirely.
  • Reduce the attack surface by restricting network access to the AVideo instance, for example, placing it behind a firewall or using role‑based IP whitelisting so only trusted IPs can reach the cloneServer.json.php endpoint.

Generated by OpenCVE AI on April 22, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xr6f-h4x7-r6qp WWBN AVideo: RCE cause by clonesite plugin
History

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Title WWBN AVideo vulnerable to RCE caused by clonesite plugin
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:35:47.574Z

Reserved: 2026-04-20T14:01:46.670Z

Link: CVE-2026-41304

cve-icon Vulnrichment

Updated: 2026-04-22T18:18:22.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T00:16:29.697

Modified: 2026-04-24T15:11:04.623

Link: CVE-2026-41304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses