CVE-2026-41064
Received Received - Intake
Command Injection in WWBN AVideo test.php via Unsanitized URLs

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue arises from an incomplete fix in the file `test.php`. While the fix added the use of `escapeshellarg` for the wget command to sanitize inputs, it left other code paths using `file_get_contents` and `curl` unsanitized. Additionally, the URL validation uses a regex pattern `/^http/` which is insufficient because it accepts malformed URLs such as those starting with 'httpevil.com'. This allows potentially malicious input to be processed.

Impact Analysis

The vulnerability has a high severity with a CVSS v3.1 base score of 9.3, indicating it can be exploited remotely with low complexity and no privileges required. It can lead to a complete compromise of confidentiality (C:H), partial integrity loss (I:L), and no impact on availability (A:N). This means an attacker could potentially execute unauthorized commands or access sensitive data through unsanitized inputs, leading to data breaches or unauthorized system control.

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 or later.

The vulnerability exists because the incomplete fix only added escapeshellarg for wget but left file_get_contents and curl code paths unsanitized, and the URL validation regex is insufficient. Applying the updated fix will address these issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart