cbcvebase.
CVE-2026-33482
published 2026-03-23

CVE-2026-33482: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in…

PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.06%
79.0th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.

Affected

3 ranges
VendorProductVersion rangeFixed in
wwbnavideo<= 26.0
wwbnavideo0 – 26.0
wwbnavideo0 – 29.0

Detection & IOCsextracted from sources · hover to see the quote

pathplugin/API/standAlone/functions.php
other$()
hash25c8ab90269e3a01fb4cf205b40a373487f022e1
  • Monitor for bash command substitution syntax `$()` appearing in ffmpeg command arguments passed to the AVideo standalone encoder server, which would bypass the sanitizeFFmpegCommand() filter.
  • Alert on `sh -c` process executions spawned from the AVideo standalone encoder process that contain `$()` subshell patterns, indicating exploitation of the command substitution bypass.
  • Inspect encrypted payloads submitted to the AVideo standalone encoder API endpoint for `$()` sequences, as exploitation requires a crafted valid encrypted payload.
  • ·The vulnerability only affects the standalone encoder server component of AVideo; the sanitizeFFmpegCommand() function in plugin/API/standAlone/functions.php is the specific attack surface. Versions up to and including 26.0 are affected.
  • ·The sanitizer does strip `&&`, `;`, `|`, backtick, and `\` metacharacters — only `$()` (bash command substitution) is missed. Detection rules should focus specifically on the `$()` bypass vector.
  • ·Exploitation requires the attacker to craft a valid encrypted payload accepted by the standalone encoder API, meaning unauthenticated or unencrypted requests alone are insufficient for exploitation.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.