CVE-2026-29058

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 07:16

Updated : 2026-03-10 19:14

NVD link : CVE-2026-29058

Mitre link : CVE-2026-29058

CVE.ORG link : CVE-2026-29058

JSON object : View

Products Affected

wwbn

avideo-encoder

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-29058", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-06T07:16:02.267", "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."}, {"lang": "es", "value": "AVideo es un software de plataforma para compartir videos. Antes de la versi\u00f3n 7.0, un atacante no autenticado puede ejecutar comandos arbitrarios del sistema operativo en el servidor inyectando sustituci\u00f3n de comandos de shell en el par\u00e1metro GET base64Url. Esto puede llevar a un compromiso total del servidor, exfiltraci\u00f3n de datos (por ejemplo, secretos de configuraci\u00f3n, claves internas, credenciales) e interrupci\u00f3n del servicio. Este problema ha sido parcheado en la versi\u00f3n 7.0."}], "lastModified": "2026-03-10T19:14:24.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3524E39-DF7C-4A58-9A7C-E7932948818C", "versionEndExcluding": "7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}