CVE-2026-41064
Command Injection in WWBN AVideo test.php via Unsanitized URLs
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue arises from an incomplete fix in the file `test.php`. While the fix added the use of `escapeshellarg` for the wget command to sanitize inputs, it left other code paths using `file_get_contents` and `curl` unsanitized. Additionally, the URL validation uses a regex pattern `/^http/` which is insufficient because it accepts malformed URLs such as those starting with 'httpevil.com'. This allows potentially malicious input to be processed.
How can this vulnerability impact me? :
The vulnerability has a high severity with a CVSS v3.1 base score of 9.3, indicating it can be exploited remotely with low complexity and no privileges required. It can lead to a complete compromise of confidentiality (C:H), partial integrity loss (I:L), and no impact on availability (A:N). This means an attacker could potentially execute unauthorized commands or access sensitive data through unsanitized inputs, leading to data breaches or unauthorized system control.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 or later.
The vulnerability exists because the incomplete fix only added escapeshellarg for wget but left file_get_contents and curl code paths unsanitized, and the URL validation regex is insufficient. Applying the updated fix will address these issues.