CVE-2026-33648
published 2026-03-23CVE-2026-33648: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.61%
44.8th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the restreamer endpoint containing JSON body fields `users_id` or `liveTransmitionHistory_id` with shell metacharacters such as `$()`, backticks, semicolons, or pipe characters, which indicate exploitation attempts. ↗
- →Alert on server-side `exec()` calls in WWBN AVideo (wwbn/avideo) where the argument string contains shell metacharacters originating from user-supplied JSON input, indicating command injection via the log file path construction. ↗
- →Scope detection to authenticated sessions only; the vulnerability requires an authenticated user to submit a crafted JSON request body to the restreamer endpoint. ↗
- ·All WWBN AVideo instances running version 26.0 or earlier are affected. The patch is only available in commit 99b865413172045fef6a98b5e9bfc7b24da11678; unpatched instances remain fully exploitable by any authenticated user. ↗
- ·A public exploit is confirmed to exist for this vulnerability, raising the urgency of patching or mitigating exposed AVideo restreamer endpoints. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
osv·2026-03-25
CVE-2026-33648 [HIGH] AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
## Summary
The restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks.
## Details
The vulnerability exists in `plugin/Live/standAloneFiles/restreamer.json.php`. The data flow is:
**1. User input ingestion** (line 220):
```php
$request = file_get_contents("php://input");
$robj = json_decode($request);
```
**2. Log f
GHSA
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
ghsa·2026-03-25
CVE-2026-33648 [HIGH] CWE-78 AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
## Summary
The restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks.
## Details
The vulnerability exists in `plugin/Live/standAloneFiles/restreamer.json.php`. The data flow is:
**1. User input ingestion** (line 220):
```php
$request = file_get_contents("php://input");
$robj = json_decode($request);
```
**2. Log f
No detection rules found.
No public exploits indexed.
2026-03-23
Published