CVE-2026-33482
Received Received - Intake
Command Injection in WWBN AVideo Encoder via Incomplete Sanitization

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-05-27
AI Q&A
2026-03-23
EPSS Evaluated
2026-05-25
NVD
CVE-2026-33482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33482 is an OS Command Injection vulnerability in the WWBN AVideo platform, specifically in the sanitizeFFmpegCommand() function. This function attempts to sanitize ffmpeg command strings by removing dangerous shell metacharacters like &&, ;, |, backticks, <, and >, but it fails to remove the bash command substitution syntax $().

Because the sanitized command is executed inside a double-quoted sh -c context, the $() syntax is interpreted by the shell, allowing an attacker who can craft a valid encrypted payload to execute arbitrary commands on the standalone encoder server.

The attack requires crafting a malicious ffmpeg command containing $(), encrypting it with AES-256-CBC using a key derived from a salt and system root path, and sending it to the standalone encoder server via an unauthenticated parameter. The server decrypts, sanitizes (improperly), and executes the command, enabling remote code execution.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including:

  • Remote Code Execution on the standalone encoder server with web server privileges.
  • Lateral movement within the network, as encoders typically have access to the main AVideo server, potentially leading to further compromise.
  • Data exfiltration, including access to video files, configuration data, and credentials.
  • Service disruption by terminating encoding processes or exhausting system resources.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying if your WWBN AVideo standalone encoder server is running a vulnerable version (up to and including 26.0) and if the sanitizeFFmpegCommand() function is being exploited via the unauthenticated codeToExecEncrypted parameter.

Since the attack requires sending an encrypted payload containing ffmpeg commands with bash command substitution syntax ($()), monitoring network traffic for unusual encrypted payloads sent to the endpoint plugin/API/standAlone/ffmpeg.json.php may help detect exploitation attempts.

You can also check running processes on the standalone encoder server for unexpected ffmpeg commands or shell commands that include suspicious patterns like $().

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the standalone encoder server and filter for requests to plugin/API/standAlone/ffmpeg.json.php.
  • On the encoder server, run commands to detect suspicious ffmpeg executions, for example: `ps aux | grep ffmpeg` and look for commands containing `$()`.
  • Search logs for requests containing the codeToExecEncrypted parameter, e.g., `grep codeToExecEncrypted /var/log/nginx/access.log` or equivalent.
  • If possible, decrypt captured payloads using the known key derivation method (sha256(saltV2) and IV from systemRootPath) to inspect for malicious command substitution.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves improving the sanitization of ffmpeg commands to prevent command injection by stripping all shell metacharacters that can be used for command substitution or chaining.

  • Replace the current denylist-based sanitizeFFmpegCommand() function with an enhanced version that removes characters such as $, (, ), {, }, backslash, and newline characters in addition to the previously stripped characters.
  • Ensure the sanitized command starts with an allowed prefix to restrict execution to permitted commands only.
  • Consider parsing ffmpeg command arguments individually and applying escapeshellarg() to each argument before assembling the command to eliminate reliance on denylists.

Additionally, restrict access to the standalone encoder server and the unauthenticated codeToExecEncrypted API endpoint to trusted sources only, if possible.

Apply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 as soon as it becomes available to fully address the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart