cbcvebase.
CVE-2026-29058
published 2026-03-06

CVE-2026-29058: AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.13%
79.7th percentile
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo>= 0 < 7.0.07.0.0
wwbnavideo-encoder< 7.07.0

Detection & IOCsextracted from sources · hover to see the quote

path/Encoder/getImage.php
pathlinux/http/avideo_encoder_getimage_cmd_injection
urlhttp://x/$(cmd)
commandffmpeg -i "{$url}"
  • Monitor HTTP GET requests to /Encoder/getImage.php where the base64Url parameter, when base64-decoded, contains shell metacharacters such as $() indicating command substitution attempts.
  • Alert on decoded base64Url values containing $() shell substitution syntax passed to FILTER_VALIDATE_URL — the check does not block these metacharacters in the URL path.
  • Watch for unexpected child processes spawned by www-data from ffmpeg, which may indicate successful command injection via the getImage.php endpoint.
  • Unauthenticated exploitation — no session cookie or authentication token is required; flag any exploitation attempt from unauthenticated sources against this endpoint.
  • The /Encoder path is mounted on the main AVideo Apache container; successful exploitation may be followed by access to database credentials and configuration files.
  • ·The vulnerability is fixed in AVideo Encoder version 7.0 (commit 78178d1) which added escapeshellarg() and shell metacharacter stripping; systems running version 7.0 or later are not affected.
  • ·A public Metasploit exploit module exists and has been merged into the framework, significantly lowering the bar for exploitation; EPSS exploitation probability is reported at 50.9%.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.