cbcvebase.
CVE-2026-33648
published 2026-03-23

CVE-2026-33648: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.61%
44.8th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo<= 26.0
wwbnavideo0 – 26.0

Detection & IOCsextracted from sources · hover to see the quote

hash99b865413172045fef6a98b5e9bfc7b24da11678
  • Monitor POST requests to the restreamer endpoint containing JSON body fields `users_id` or `liveTransmitionHistory_id` with shell metacharacters such as `$()`, backticks, semicolons, or pipe characters, which indicate exploitation attempts.
  • Alert on server-side `exec()` calls in WWBN AVideo (wwbn/avideo) where the argument string contains shell metacharacters originating from user-supplied JSON input, indicating command injection via the log file path construction.
  • Scope detection to authenticated sessions only; the vulnerability requires an authenticated user to submit a crafted JSON request body to the restreamer endpoint.
  • ·All WWBN AVideo instances running version 26.0 or earlier are affected. The patch is only available in commit 99b865413172045fef6a98b5e9bfc7b24da11678; unpatched instances remain fully exploitable by any authenticated user.
  • ·A public exploit is confirmed to exist for this vulnerability, raising the urgency of patching or mitigating exposed AVideo restreamer endpoints.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.