cbcvebase.
CVE-2026-33478
published 2026-03-23

CVE-2026-33478: WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to…

PriorityP193critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.27%
95.9th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo<= 26.0
wwbnavideo0 – 26.0

Detection & IOCsextracted from sources · hover to see the quote

path/plugin/CloneSite/clones.json.php
path/plugin/CloneSite/cloneServer.json.php
path/plugin/CloneSite/cloneClient.json.php
hashc85d076375fab095a14170df7ddb27058134d38c
yara
GET /plugin/CloneSite/clones.json.php HTTP/1.1
  • Probe GET /plugin/CloneSite/clones.json.php unauthenticated; a 200 response with JSON body containing '"data": [' and '"key":"' (without 'Admin required' error) indicates unauthenticated secret key exposure.
  • Extracted clone secret keys match the regex pattern '"key":"([0-9a-z]+)"' in the response body of clones.json.php.
  • Admin password hashes in the database dump are stored as MD5 and are trivially crackable; monitor for MD5 hash cracking activity following exploitation of cloneServer.json.php.
  • OS command injection occurs in rsync command construction inside cloneClient.json.php; monitor for anomalous rsync process spawning from web server processes.
  • The full attack chain is unauthenticated: secret key leak via clones.json.php → DB dump via cloneServer.json.php → admin hash crack → RCE via cloneClient.json.php. Alert on sequential unauthenticated requests to all three endpoints.
  • ·Vulnerability affects AVideo versions up to and including 26.0; patched in commit c85d076375fab095a14170df7ddb27058134d38c. Verify installed version before applying detection rules.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.