CVE-2026-33319
Command Injection in WWBN AVideo SocialMediaPublisher Plugin
Publication date: 2026-03-22
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33319 is an OS command injection vulnerability in the WWBN AVideo platform's SocialMediaPublisher plugin, specifically in the `uploadVideoToLinkedIn()` method. This method constructs a shell command by directly inserting an upload URL received from LinkedIn's API response without sanitizing it. If an attacker can manipulate the LinkedIn API responseβthrough methods like man-in-the-middle attacks, compromised OAuth tokens, or LinkedIn API compromiseβthey can inject arbitrary operating system commands. These commands would then execute with the privileges of the web server user, potentially leading to remote code execution."}, {'type': 'paragraph', 'content': "The vulnerability arises because the shell command concatenates the file path and upload URL directly into the command string executed by PHP's `exec()` function without using proper escaping functions like `escapeshellarg()`. This lack of sanitization allows malicious input to break out of the intended command context and execute arbitrary commands."}, {'type': 'paragraph', 'content': 'A fix was introduced in version 26.0 of AVideo, which involves sanitizing the inputs using `escapeshellarg()` to safely escape any shell metacharacters, preventing command injection. A preferred fix is to replace the shell command execution with native PHP cURL functions to eliminate the risk entirely.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the server running the AVideo platform, with the privileges of the web server user (commonly `www-data`).
- An attacker could gain full confidentiality breach by accessing source code, configuration files, database credentials, and any data accessible by the web server.
- Integrity of the application can be compromised, allowing modification of application files, injection of backdoors, or alteration of database records.
The attack complexity is high because it requires compromising the trusted LinkedIn API response, but if successful, it represents a critical security failure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsanitized shell command execution in the `uploadVideoToLinkedIn()` method of the SocialMediaPublisher plugin. Detection can focus on identifying suspicious command executions involving the `curl` command with upload URLs that may contain injected shell metacharacters.
You can monitor web server logs or audit command executions for unusual `curl` commands that include unexpected characters or sequences in the upload URL parameter.
Example commands to detect potential exploitation attempts include searching for suspicious patterns in logs or running process monitoring:
- Check web server error or debug logs for logged shell commands related to LinkedIn video uploads (if logging is enabled): `grep curl /path/to/avideo/logs/error.log`
- Search for suspicious curl commands with unusual characters in running processes: `ps aux | grep curl`
- Audit recent shell command executions for injected commands or unusual arguments (if command auditing is enabled).
Since the vulnerability depends on manipulation of the LinkedIn API response, monitoring network traffic for unexpected or malformed API responses could also help detect attempts.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation for this vulnerability is to ensure that any shell commands constructed with user-controllable input are properly sanitized.'}, {'type': 'paragraph', 'content': "Specifically, sanitize the `$uploadUrl` and `$filePath` variables using PHP's `escapeshellarg()` function before including them in the shell command to prevent command injection."}, {'type': 'paragraph', 'content': 'Example fix in code:'}, {'type': 'list_item', 'content': 'Replace the shell command construction with: `curl -v -H "Content-Type:application/octet-stream" --upload-file \'escaped_filePath\' \'escaped_uploadUrl\' 2>&1` where both variables are escaped using `escapeshellarg()`.'}, {'type': 'paragraph', 'content': "A preferred and more secure approach is to replace the shell command execution entirely with PHP's native cURL functions (`curl_init()`, `curl_setopt()`, `curl_exec()`, etc.) to eliminate the risk of command injection."}, {'type': 'paragraph', 'content': 'Additionally, ensure that the LinkedIn API response is obtained securely (e.g., verify SSL/TLS certificates, protect OAuth tokens) to reduce the risk of response manipulation.'}, {'type': 'paragraph', 'content': 'Finally, upgrade to version 26.0 or later of WWBN AVideo, where this vulnerability has been fixed.'}] [2, 1]