CVE-2026-33478
published 2026-03-23CVE-2026-33478: WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to…
PriorityP193critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.27%
95.9th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
GET /plugin/CloneSite/clones.json.php HTTP/1.1
- →Probe GET /plugin/CloneSite/clones.json.php unauthenticated; a 200 response with JSON body containing '"data": [' and '"key":"' (without 'Admin required' error) indicates unauthenticated secret key exposure. ↗
- →Extracted clone secret keys match the regex pattern '"key":"([0-9a-z]+)"' in the response body of clones.json.php. ↗
- →Admin password hashes in the database dump are stored as MD5 and are trivially crackable; monitor for MD5 hash cracking activity following exploitation of cloneServer.json.php. ↗
- →OS command injection occurs in rsync command construction inside cloneClient.json.php; monitor for anomalous rsync process spawning from web server processes. ↗
- →The full attack chain is unauthenticated: secret key leak via clones.json.php → DB dump via cloneServer.json.php → admin hash crack → RCE via cloneClient.json.php. Alert on sequential unauthenticated requests to all three endpoints. ↗
- ·Vulnerability affects AVideo versions up to and including 26.0; patched in commit c85d076375fab095a14170df7ddb27058134d38c. Verify installed version before applying detection rules. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
ghsa·2026-03-20
CVE-2026-33478 [CRITICAL] CWE-284 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
## Summary
Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands.
## Details
### Step 1: Clone Key Disclosure
`plugin/CloneSite/clones.json.php:1-8` has zero authen
OSV
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
osv·2026-03-20
CVE-2026-33478 [CRITICAL] AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
## Summary
Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands.
## Details
### Step 1: Clone Key Disclosure
`plugin/CloneSite/clones.json.php:1-8` has zero authen
VulnCheck
wwbn avideo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 10.0
CVE-2026-33478 [CRITICAL] wwbn avideo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wwbn avideo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contai
No detection rules found.
Nuclei
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
nuclei·CVSS 10.0
CVE-2026-33478 [CRITICAL] AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
Template:
id: CVE-2026-33478
info:
name: AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
author: pussycat0x
severity: critical
description: |
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
impact: |
Unauthenticated attackers can execute arbitrary system commands, leading to
2026-03-23
Published
Exploited in the wild