Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2026-29058 — OS Command Injection in Avideo-encoder

CWE-78 — OS Command Injection6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

50.9%

top 2.13%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wwbn Avideo-encoder Wwbn Avideo

Timeline

PublishedMar 6

Latest updateMar 20

Description

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Packagistwwbn/avideo< 7.0.0

▶NVDwwbn/avideo-encoder< 7.0

🔴Vulnerability Details

OSV

WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php↗2026-03-03

▶

GHSA

WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php↗2026-03-03

▶

💥Exploits & PoCs

Metasploit

AVideo Encoder getImage.php Unauthenticated Command Injection↗

▶

🕵️Threat Intelligence

Rapid7

Metasploit Wrap-Up 03/20/2026↗2026-03-20

▶

Wiz

CVE-2026-29058 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶