CVE-2026-29058
published 2026-03-06CVE-2026-29058: AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.13%
79.7th percentile
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | >= 0 < 7.0.0 | 7.0.0 |
| wwbn | avideo-encoder | < 7.0 | 7.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /Encoder/getImage.php where the base64Url parameter, when base64-decoded, contains shell metacharacters such as $() indicating command substitution attempts. ↗
- →Alert on decoded base64Url values containing $() shell substitution syntax passed to FILTER_VALIDATE_URL — the check does not block these metacharacters in the URL path. ↗
- →Watch for unexpected child processes spawned by www-data from ffmpeg, which may indicate successful command injection via the getImage.php endpoint. ↗
- →Unauthenticated exploitation — no session cookie or authentication token is required; flag any exploitation attempt from unauthenticated sources against this endpoint. ↗
- →The /Encoder path is mounted on the main AVideo Apache container; successful exploitation may be followed by access to database credentials and configuration files. ↗
- ·The vulnerability is fixed in AVideo Encoder version 7.0 (commit 78178d1) which added escapeshellarg() and shell metacharacter stripping; systems running version 7.0 or later are not affected. ↗
- ·A public Metasploit exploit module exists and has been merged into the framework, significantly lowering the bar for exploitation; EPSS exploitation probability is reported at 50.9%. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
osv·2026-03-03
CVE-2026-29058 [CRITICAL] WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
## Impact
An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.
## Root Cause
The `base64Url` parameter is Base64-decoded and then interpolated directly into a double-quoted `ffmpeg` shell command without proper shell escaping. The upstream validation uses `FILTER_VALIDATE_URL`, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell.
## Affected Components
* `objec
GHSA
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
ghsa·2026-03-03
CVE-2026-29058 [CRITICAL] CWE-78 WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
## Impact
An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.
## Root Cause
The `base64Url` parameter is Base64-decoded and then interpolated directly into a double-quoted `ffmpeg` shell command without proper shell escaping. The upstream validation uses `FILTER_VALIDATE_URL`, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell.
## Affected Components
* `objec
No detection rules found.
Rapid7
Metasploit Wrap-Up 03/20/2026
blogs_rapid7·2026-03-20·CVSS 8.6
[HIGH] Metasploit Wrap-Up 03/20/2026
## ♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫
This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query.
## New module content (2)
## AVideo Encoder getImage.php Unauthenticated Command Injection
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Exploit
Pull request: #21076 contributed by Chocapikk
P
Wiz
CVE-2026-29058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-29058 [CRITICAL] CVE-2026-29058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29058 :
PHP vulnerability analysis and mitigation
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Source : NVD
## 9.8
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 97.9
Exploitation Probability (EPSS) 50.9
Affected packages and librar
2026-03-06
Published