CVE-2026-41304
Received Received - Intake
Command Injection in WWBN AVideo CloneSite Plugin Enables RCE

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41304
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, specifically in versions 29.0 and below. The issue is in the CloneSite plugin's `cloneServer.json.php` endpoint, which constructs shell commands using user input from the `url` parameter without properly sanitizing it. Because the input is directly concatenated into a `wget` command executed via the PHP `exec()` function, an attacker can inject arbitrary shell commands by using shell metacharacters like `;`. This allows the attacker to execute remote code on the server.

Impact Analysis

The vulnerability allows an attacker to perform Remote Code Execution (RCE) on the affected server. This means the attacker can run arbitrary commands on the server with the same privileges as the web server process. The impact includes potential full compromise of the server, unauthorized access to sensitive data, disruption of services, and the ability to install malware or pivot to other systems within the network.

Detection Guidance

This vulnerability involves the `cloneServer.json.php` endpoint in the CloneSite plugin of WWBN AVideo versions 29.0 and below, where user input is unsafely used in shell commands leading to command injection.

To detect exploitation attempts on your system or network, you can monitor web server logs for suspicious requests to the `cloneServer.json.php` endpoint containing shell metacharacters such as semicolons (`;`), backticks, or other command injection patterns in the `url` parameter.

Example commands to search for suspicious requests in Apache or Nginx logs might include:

  • grep 'cloneServer.json.php' /var/log/apache2/access.log | grep '[;`]'
  • grep 'cloneServer.json.php' /var/log/nginx/access.log | grep '[;`]'

Additionally, monitoring for unexpected processes or commands spawned by the web server user could help detect active exploitation.

Mitigation Strategies

The immediate mitigation step is to update WWBN AVideo to a version that includes the fix, specifically after commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.

If updating is not immediately possible, restrict access to the vulnerable `cloneServer.json.php` endpoint, for example by limiting access via firewall rules or web server configuration.

Additionally, monitor and block suspicious input containing shell metacharacters in the `url` parameter to prevent command injection.

Avoid running the web server with unnecessary privileges to reduce the impact of potential exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart