CVE-2026-33319 — OS Command Injection in Avideo

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 91.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 19

PublishedMar 22

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo25.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command↗2026-03-19

▶

OSV

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33319 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶