CVE-2026-41304
Command Injection in WWBN AVideo CloneSite Plugin Enables RCE
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, specifically in versions 29.0 and below. The issue is in the CloneSite plugin's `cloneServer.json.php` endpoint, which constructs shell commands using user input from the `url` parameter without properly sanitizing it. Because the input is directly concatenated into a `wget` command executed via the PHP `exec()` function, an attacker can inject arbitrary shell commands by using shell metacharacters like `;`. This allows the attacker to execute remote code on the server.
How can this vulnerability impact me? :
The vulnerability allows an attacker to perform Remote Code Execution (RCE) on the affected server. This means the attacker can run arbitrary commands on the server with the same privileges as the web server process. The impact includes potential full compromise of the server, unauthorized access to sensitive data, disruption of services, and the ability to install malware or pivot to other systems within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the `cloneServer.json.php` endpoint in the CloneSite plugin of WWBN AVideo versions 29.0 and below, where user input is unsafely used in shell commands leading to command injection.
To detect exploitation attempts on your system or network, you can monitor web server logs for suspicious requests to the `cloneServer.json.php` endpoint containing shell metacharacters such as semicolons (`;`), backticks, or other command injection patterns in the `url` parameter.
Example commands to search for suspicious requests in Apache or Nginx logs might include:
- grep 'cloneServer.json.php' /var/log/apache2/access.log | grep '[;`]'
- grep 'cloneServer.json.php' /var/log/nginx/access.log | grep '[;`]'
Additionally, monitoring for unexpected processes or commands spawned by the web server user could help detect active exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update WWBN AVideo to a version that includes the fix, specifically after commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
If updating is not immediately possible, restrict access to the vulnerable `cloneServer.json.php` endpoint, for example by limiting access via firewall rules or web server configuration.
Additionally, monitor and block suspicious input containing shell metacharacters in the `url` parameter to prevent command injection.
Avoid running the web server with unnecessary privileges to reduce the impact of potential exploitation.