CVE-2026-33482
published 2026-03-23CVE-2026-33482: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in…
PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.06%
79.0th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
| wwbn | avideo | 0 – 29.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for bash command substitution syntax `$()` appearing in ffmpeg command arguments passed to the AVideo standalone encoder server, which would bypass the sanitizeFFmpegCommand() filter. ↗
- →Alert on `sh -c` process executions spawned from the AVideo standalone encoder process that contain `$()` subshell patterns, indicating exploitation of the command substitution bypass. ↗
- →Inspect encrypted payloads submitted to the AVideo standalone encoder API endpoint for `$()` sequences, as exploitation requires a crafted valid encrypted payload. ↗
- ·The vulnerability only affects the standalone encoder server component of AVideo; the sanitizeFFmpegCommand() function in plugin/API/standAlone/functions.php is the specific attack surface. Versions up to and including 26.0 are affected. ↗
- ·The sanitizer does strip `&&`, `;`, `|`, backtick, and `\` metacharacters — only `$()` (bash command substitution) is missed. Detection rules should focus specifically on the `$()` bypass vector. ↗
- ·Exploitation requires the attacker to craft a valid encrypted payload accepted by the standalone encoder API, meaning unauthenticated or unencrypted requests alone are insufficient for exploitation. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
ghsa·2026-06-23·CVSS 8.1
CVE-2026-55173 [HIGH] CWE-78 AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
### Summary
The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. That advisory reported that `sanitizeFFmpegCommand()` (`plugin/API/standAlone/functions.php`) failed to strip `$(...)` command substitution, allowing OS command injection at the `execAsync()` `sh -c` sink. The fix (commit `25c8ab90`) added `$`, `(`, `)`, `{`, `}`, `\n`, `\r` to the denylist character class and a `str_replace('&&', '', ...)`. It still does **not** neutralize a single `&` (the shell background operator), which remains a command separator at the unchanged sink. Same entry point, same sink, same impact as the original — onl
GHSA
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
ghsa·2026-03-20
CVE-2026-33482 [HIGH] CWE-78 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
## Summary
The `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server.
## Details
**Vulnerable sanitization function** (`plugin/API/standAlone/functions.php:59-82`):
```php
function sanitizeFFmpegCommand($command)
{
$allowedPrefixes = ['ffmpeg', '/u
OSV
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
osv·2026-03-20
CVE-2026-33482 [HIGH] AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
## Summary
The `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server.
## Details
**Vulnerable sanitization function** (`plugin/API/standAlone/functions.php:59-82`):
```php
function sanitizeFFmpegCommand($command)
{
$allowedPrefixes = ['ffmpeg', '/u
No detection rules found.
No public exploits indexed.
2026-03-23
Published