Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2026-33478OS Command Injection in Avideo

CWE-78OS Command InjectionCWE-284Improper Access Control5 documents5 sources
Severity
10.0CRITICALNVD
EPSS
20.6%
top 4.41%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Wwbn Avideo
Timeline
Latest updateMar 20
PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection2026-03-20
OSV
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection2026-03-20

💥Exploits & PoCs

1
Nuclei
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution

🕵️Threat Intelligence

1
Wiz
CVE-2026-33478 Impact, Exploitability, and Mitigation Steps | Wiz