CVE-2026-3682
Received Received - Intake
Argument Injection in welovemedia FFmate Execute Function Allows Remote Attack

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. This vulnerability affects the function Execute of the file /internal/service/ffmpeg/ffmpeg.go. The manipulation leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3682
EUVD
EUVD-2026-10197
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
welovemedia ffmate to 2.0.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3682 is an argument injection vulnerability in welovemedia FFmate versions up to and including 2.0.15, specifically in the Execute function of the file /internal/service/ffmpeg/ffmpeg.go.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because user-controlled command parameters are passed directly to the FFmpeg binary without proper validation or sanitization. Although the application tries to prevent command injection by shell escaping, attackers can exploit FFmpeg's extensive argument options to perform unauthorized actions."}, {'type': 'paragraph', 'content': "Attackers can craft malicious preset commands that abuse FFmpeg's metadata writing capabilities to create text files with arbitrary content and write them to arbitrary filesystem locations accessible by the application process."}, {'type': 'paragraph', 'content': 'This can lead to overwriting critical system files, injecting SSH authorized keys for remote access, modifying application configuration files, and potentially achieving full remote code execution.'}, {'type': 'paragraph', 'content': "The vulnerable code splits user-supplied command strings by '&&', parses each command into arguments, and executes them without strict validation or path restrictions, allowing injection of dangerous FFmpeg options."}] [1, 2, 3]

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote code execution, which can compromise the confidentiality, integrity, and availability of your system.

  • Overwriting critical system files.
  • Injecting SSH authorized keys to gain unauthorized remote access.
  • Modifying application configuration files.
  • Potential full remote code execution leading to complete system compromise.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability involves argument injection in the FFmpeg command execution within welovemedia FFmate up to version 2.0.15. Detection can focus on monitoring for suspicious FFmpeg command executions that include unusual or malicious arguments, especially those involving metadata writing or file creation in sensitive locations.'}, {'type': 'paragraph', 'content': "Since the vulnerability allows attackers to craft malicious preset commands that abuse FFmpeg's metadata writing capabilities to write arbitrary files (e.g., SSH authorized_keys), monitoring for unexpected file writes or modifications in critical system paths such as ~/.ssh/authorized_keys or /etc/passwd can help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'Network or system detection commands could include:'}, {'type': 'list_item', 'content': 'Using process monitoring tools (e.g., ps, top) to identify FFmpeg processes with suspicious arguments.'}, {'type': 'list_item', 'content': 'Using auditd or inotify to watch for file writes to sensitive locations like ~/.ssh/authorized_keys or /etc/passwd.'}, {'type': 'list_item', 'content': "Searching logs or command histories for FFmpeg commands containing unusual options such as '-metadata' and '-f ffmetadata'."}, {'type': 'list_item', 'content': 'Example command to find suspicious FFmpeg executions in process list: `ps aux | grep ffmpeg` and inspect arguments.'}, {'type': 'list_item', 'content': 'Example auditd rule to monitor writes to authorized_keys: `-w /home/*/.ssh/authorized_keys -p wa -k ssh_auth_changes`.'}] [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include implementing strict allowlists for permissible FFmpeg arguments and output formats to prevent injection of dangerous options.

Validate and restrict output file paths to safe, designated directories to avoid unauthorized file writes to critical system locations.

Disable dangerous FFmpeg features such as arbitrary metadata file writing that can be exploited to create or overwrite files.

Perform comprehensive input validation on all user-supplied preset commands to ensure no malicious arguments are passed to FFmpeg.

If possible, replace or upgrade the affected FFmate software to a version that is not vulnerable or apply vendor patches once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart