CVE-2026-3682
Argument Injection in welovemedia FFmate Execute Function Allows Remote Attack
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| welovemedia | ffmate | to 2.0.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3682 is an argument injection vulnerability in welovemedia FFmate versions up to and including 2.0.15, specifically in the Execute function of the file /internal/service/ffmpeg/ffmpeg.go.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because user-controlled command parameters are passed directly to the FFmpeg binary without proper validation or sanitization. Although the application tries to prevent command injection by shell escaping, attackers can exploit FFmpeg's extensive argument options to perform unauthorized actions."}, {'type': 'paragraph', 'content': "Attackers can craft malicious preset commands that abuse FFmpeg's metadata writing capabilities to create text files with arbitrary content and write them to arbitrary filesystem locations accessible by the application process."}, {'type': 'paragraph', 'content': 'This can lead to overwriting critical system files, injecting SSH authorized keys for remote access, modifying application configuration files, and potentially achieving full remote code execution.'}, {'type': 'paragraph', 'content': "The vulnerable code splits user-supplied command strings by '&&', parses each command into arguments, and executes them without strict validation or path restrictions, allowing injection of dangerous FFmpeg options."}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution, which can compromise the confidentiality, integrity, and availability of your system.
- Overwriting critical system files.
- Injecting SSH authorized keys to gain unauthorized remote access.
- Modifying application configuration files.
- Potential full remote code execution leading to complete system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability involves argument injection in the FFmpeg command execution within welovemedia FFmate up to version 2.0.15. Detection can focus on monitoring for suspicious FFmpeg command executions that include unusual or malicious arguments, especially those involving metadata writing or file creation in sensitive locations.'}, {'type': 'paragraph', 'content': "Since the vulnerability allows attackers to craft malicious preset commands that abuse FFmpeg's metadata writing capabilities to write arbitrary files (e.g., SSH authorized_keys), monitoring for unexpected file writes or modifications in critical system paths such as ~/.ssh/authorized_keys or /etc/passwd can help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'Network or system detection commands could include:'}, {'type': 'list_item', 'content': 'Using process monitoring tools (e.g., ps, top) to identify FFmpeg processes with suspicious arguments.'}, {'type': 'list_item', 'content': 'Using auditd or inotify to watch for file writes to sensitive locations like ~/.ssh/authorized_keys or /etc/passwd.'}, {'type': 'list_item', 'content': "Searching logs or command histories for FFmpeg commands containing unusual options such as '-metadata' and '-f ffmetadata'."}, {'type': 'list_item', 'content': 'Example command to find suspicious FFmpeg executions in process list: `ps aux | grep ffmpeg` and inspect arguments.'}, {'type': 'list_item', 'content': 'Example auditd rule to monitor writes to authorized_keys: `-w /home/*/.ssh/authorized_keys -p wa -k ssh_auth_changes`.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict allowlists for permissible FFmpeg arguments and output formats to prevent injection of dangerous options.
Validate and restrict output file paths to safe, designated directories to avoid unauthorized file writes to critical system locations.
Disable dangerous FFmpeg features such as arbitrary metadata file writing that can be exploited to create or overwrite files.
Perform comprehensive input validation on all user-supplied preset commands to ensure no malicious arguments are passed to FFmpeg.
If possible, replace or upgrade the affected FFmate software to a version that is not vulnerable or apply vendor patches once available.