CVE-2026-33482

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-23 15:16

Updated : 2026-03-24 18:41

NVD link : CVE-2026-33482

Mitre link : CVE-2026-33482

CVE.ORG link : CVE-2026-33482

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-33482", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-23T15:16:34.560", "references": [{"url": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n 'sanitizeFFmpegCommand()' en 'plugin/API/standAlone/functions.php' est\u00e1 dise\u00f1ada para prevenir la inyecci\u00f3n de comandos del sistema operativo en comandos ffmpeg eliminando metacaracteres peligrosos del shell ('&&', ';', '|', '`', '<', '>'). Sin embargo, no logra eliminar '$()' (sintaxis de sustituci\u00f3n de comandos de bash). Dado que el comando saneado se ejecuta dentro de un contexto 'sh -c' entre comillas dobles en 'execAsync()', un atacante que puede crear una carga \u00fatil cifrada v\u00e1lida puede lograr la ejecuci\u00f3n arbitraria de comandos en el servidor codificador independiente. El commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contiene un parche."}], "lastModified": "2026-03-24T18:41:00.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}