Description
A security vulnerability has been detected in kalcaddle Kodbox up to 1.64. This issue affects the function parseVideoInfo of the file /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php of the component fileThumb Plugin. The manipulation of the argument ffmpegBin leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the parseVideoInfo function of the fileThumb plugin, where the ffmpegBin argument is not properly sanitized, allowing a crafted value to be injected into the system shell. If exploited, an attacker can execute arbitrary commands on the host, compromising confidentiality, integrity, and availability of the affected installation.

Affected Systems

Kalcaddle Kodbox installations using the fileThumb plugin, specifically versions up to 1.64, are affected. The vulnerability is present in the VideoResize.class.php file located within the plugin's source code.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, as the exploit can be triggered via a network request that manipulates the ffmpegBin parameter. Public disclosure means the risk of exploitation is non‑negligible, especially if no mitigation is applied.

Generated by OpenCVE AI on May 17, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kalcaddle Kodbox to a version newer than 1.64 that contains the vendor’s fixed patch.
  • If an update is unavailable, configure ffmpegBin to refer only to a trusted, absolute path or replace it with a safe wrapper that filters input and removes shell metacharacters.
  • Limit external access to the fileThumb endpoint by whitelisting trusted IPs or placing the service behind a reverse proxy that blocks the susceptible requests.

Generated by OpenCVE AI on May 17, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in kalcaddle Kodbox up to 1.64. This issue affects the function parseVideoInfo of the file /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php of the component fileThumb Plugin. The manipulation of the argument ffmpegBin leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle Kodbox fileThumb Plugin VideoResize.class.php parseVideoInfo command injection
First Time appeared Kalcaddle
Kalcaddle kodbox
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:*
Vendors & Products Kalcaddle
Kalcaddle kodbox
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T12:00:14.089Z

Reserved: 2026-05-16T16:23:09.576Z

Link: CVE-2026-8753

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:45.940

Modified: 2026-05-17T13:16:45.940

Link: CVE-2026-8753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T18:00:06Z

Weaknesses