CVE-2026-55173
published 2026-06-23CVE-2026-55173: AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same…
high8.1
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
### Summary
The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. That advisory reported that `sanitizeFFmpegCommand()` (`plugin/API/standAlone/functions.php`) failed to strip `$(...)` command substitution, allowing OS command injection at the `execAsync()` `sh -c` sink. The fix (commit `25c8ab90`) added `$`, `(`, `)`, `{`, `}`, `\n`, `\r` to the denylist character class and a `str_replace('&&', '', ...)`. It still does **not** neutralize a single `&` (the shell background operator), which remains a command separator at the unchanged sink. Same entry point, same sink, same impact as the original — only the surviving metacharacter differs.
Verified at master HEAD.
### The surviving gap
HEAD `sanitizeFFmpegCommand` (`functions.php`):
```php
$command = str_replace('&&', '', $command); // only the doubled form
$command = preg_replace('/\s*&?>.*(?:2>&1)?/', '', $command); // strips '&' only when followed by '>'
$command = preg_replace('/[;|`<>$()\n\r{}]/', '', $command); // char class has no '&'
// then requires the result to start with 'ffmpeg'
```
A single `&` is therefore preserved. `ffmpeg ... & ` passes the sanitizer and the `strpos(trim($command),'ffmpeg')===0` prefix gate.
### Sink (unchanged)
`plugin/API/standAlone/ffmpeg.json.php:418` -> `execAsync($ffmpegCommand, $keyword)`. In `objects/functionsExec.php::execAsync`:
```php
$command = addcslashes($command, '"'); // line 686 — escapes only the double-quote
$commandWithKeyword = "nohup sh -c \"$command & echo \\$! > /tmp/$keyword.pid\" > /dev/null 2>&1 &"; // line 705
exec($commandWithKeyword, ...); // line 712 — PHP exec() runs via /bin/sh -c
```
The sanitized command is embedded inside an inner `sh -c "..."`. A bare `&` in `$command` separates commands for that inner shell, so the injected command executes. `addcslashAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | 0 – 29.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-55173 CVE-2025-57752 thunderbird: various flaws [fedora-42]
bugzilla·2025-09-01·CVSS 4.3
CVE-2025-55173 [MEDIUM] CVE-2025-55173 CVE-2025-57752 thunderbird: various flaws [fedora-42]
CVE-2025-55173 CVE-2025-57752 thunderbird: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releas
Bugzilla
CVE-2025-55173 CVE-2025-57752 icecat: various flaws [fedora-42]
bugzilla·2025-09-01·CVSS 4.3
CVE-2025-55173 [MEDIUM] CVE-2025-55173 CVE-2025-57752 icecat: various flaws [fedora-42]
CVE-2025-55173 CVE-2025-57752 icecat: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases th
2026-06-23
Published