Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Published: 2026-04-21
Score: 8.9 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability originates in the cloneSite plugin of WWBN AVideo when it constructs and executes a wget command via exec() with user-controlled input from the url parameter. This allows an attacker to inject arbitrary shell commands by inserting shell metacharacters, leading to Remote Code Execution on the server. The weakness is a classic command injection flaw (CWE‑77) that directly compromises confidentiality, integrity, and availability of the host system.

Affected Systems

WWBN AVideo, specifically the CloneSite plugin, is affected in all releases 29.0 and older. The vulnerable endpoint cloneServer.json.php is included in these versions.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity, and while an EPSS score is unavailable, the lack of KEV listing does not diminish the risk of exploitation. The flaw can be exploited remotely via any network exposed instance of the vulnerable endpoint, requiring only a crafted URL. The vulnerability does not depend on local privileges and can execute arbitrary commands with the permissions of the web server process.

Generated by OpenCVE AI on April 22, 2026 at 04:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version newer than 29.0, applying commit 473c609fc2defdea8b937b00e86ce88eba1f15bb or the official patch that sanitizes the cloneServer.json.php input.
  • If the CloneSite plugin is not essential, disable or uninstall it to remove the vulnerable endpoint entirely.
  • Reduce the attack surface by restricting network access to the AVideo instance, for example, placing it behind a firewall or using role‑based IP whitelisting so only trusted IPs can reach the cloneServer.json.php endpoint.

Generated by OpenCVE AI on April 22, 2026 at 04:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Title WWBN AVideo vulnerable to RCE caused by clonesite plugin
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:07:48.585Z

Reserved: 2026-04-20T14:01:46.670Z

Link: CVE-2026-41304

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:29.697

Modified: 2026-04-22T00:16:29.697

Link: CVE-2026-41304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses