CVE-2026-33478
Received Received - Intake
Unauthenticated Remote Code Execution via CloneSite Plugin in WWBN AVideo

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33478
EUVD
EUVD-2026-14175
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33478 is a critical vulnerability in the WWBN AVideo platform's CloneSite plugin (versions up to and including 26.0). It involves multiple chained flaws that allow a completely unauthenticated attacker to achieve remote code execution."}, {'type': 'paragraph', 'content': 'The vulnerability chain starts with the `clones.json.php` endpoint exposing secret clone keys without any authentication. These keys can be used to trigger a full database dump via the `cloneServer.json.php` endpoint. The dumped database contains admin password hashes stored as unsalted MD5 hashes, which are trivial to crack.'}, {'type': 'paragraph', 'content': 'After cracking the admin passwords, the attacker can log in as an admin and exploit an OS command injection vulnerability in the `cloneClient.json.php` file. This occurs because the rsync command is constructed using unsanitized input from the clone server, allowing arbitrary system commands to be executed as the web server user.'}] [2]

Impact Analysis

This vulnerability can lead to complete server compromise without any user interaction or privileges required.

  • An unauthenticated attacker can remotely execute arbitrary system commands on the server.
  • The entire database, including sensitive user credentials, videos, configurations, and secrets, can be fully disclosed.
  • Admin password hashes stored as unsalted MD5 are trivially crackable, enabling attackers to gain admin access.
  • Attackers can perform lateral movement using stolen database and SSH credentials.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized access to the `plugin/CloneSite/clones.json.php` endpoint, which exposes clone secret keys without authentication.'}, {'type': 'paragraph', 'content': 'You can monitor web server logs for unauthenticated requests to `clones.json.php` or `cloneServer.json.php` endpoints.'}, {'type': 'paragraph', 'content': 'Additionally, look for suspicious execution of `mysqldump` commands or unexpected SQL dump files in web-accessible directories.'}, {'type': 'paragraph', 'content': 'Commands to help detect exploitation attempts might include:'}, {'type': 'list_item', 'content': "Check web server access logs for requests to vulnerable endpoints: `grep 'clones.json.php' /var/log/apache2/access.log` or `grep 'cloneServer.json.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Search for recently created SQL dump files in web directories: `find /var/www/html -name '*.sql' -mtime -7`"}, {'type': 'list_item', 'content': 'Look for running or recently executed `mysqldump` processes: `ps aux | grep mysqldump`'}, {'type': 'list_item', 'content': 'Check for suspicious rsync commands or shell command injection attempts in logs or process lists.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the `clones.json.php` endpoint to admin users only, preventing unauthenticated disclosure of clone keys.'}, {'type': 'paragraph', 'content': 'Avoid storing SQL dump files in web-accessible directories or require authentication to download them.'}, {'type': 'paragraph', 'content': 'Sanitize all inputs used in shell commands, especially the `videosDir` field and SSH parameters, to prevent command injection.'}, {'type': 'paragraph', 'content': 'Upgrade to the patched version of AVideo where the vulnerability is fixed by input sanitization and access control enforcement (commit c85d076375fab095a14170df7ddb27058134d38c).'}, {'type': 'paragraph', 'content': "Replace insecure MD5 password hashing with stronger algorithms like bcrypt or Argon2 using PHP's `password_hash()` function."}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33478. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart