Executive Summary

CVE-2026-45578 is an OS command injection vulnerability in the AVideo software, specifically in the on_publish.php file within the Live plugin.

The vulnerability occurs because the code builds a command line by concatenating strings and wrapping variables in single quotes without properly escaping them using escapeshellarg().

An attacker can inject malicious commands by including a single quote (') in one of the variables ($users_id, $m3u8, or $obj->liveTransmitionHistory_id), which closes the quoted string and allows arbitrary command execution.

This can be exploited if an attacker can authenticate and insert a single quote in one of these variables, for example by manipulating the stream key via a low-privilege account.

The attack can be carried out directly via an HTTP POST request to /plugin/Live/on_publish.php without needing access to nginx-rtmp.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary commands with the privileges of the web server user.

This can lead to serious impacts including data theft, deployment of webshells, and further system compromise.

Because the vulnerability has a high severity score (CVSS 8.8), it poses significant risks to confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /plugin/Live/on_publish.php for suspicious payloads containing single quotes (') in the parameters $users_id, $m3u8, or $obj->liveTransmitionHistory_id, which may indicate attempted command injection.

You can use network monitoring tools or web server logs to identify such requests.

Example commands to detect suspicious requests include:

• Using grep on web server access logs to find POST requests to the vulnerable endpoint with single quotes: grep "POST /plugin/Live/on_publish.php" /var/log/apache2/access.log | grep "'"
• Using tcpdump or tshark to capture HTTP POST traffic to the endpoint and inspect for suspicious characters.
• Using intrusion detection systems (IDS) with rules to detect shell metacharacter injection patterns in HTTP POST data targeting on_publish.php.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official fix that ensures all variables interpolated into the command string in on_publish.php are properly escaped using escapeshellarg().

As a defense-in-depth measure, restrict access to the /plugin/Live/on_publish.php endpoint using web server access controls such as .htaccess rules for Apache or equivalent nginx configuration.

Additionally, monitor and audit logs for suspicious activity and consider temporarily disabling the Live plugin if feasible until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands on the server with the privileges of the web server user, potentially leading to data theft, webshell deployment, or further system compromise.

Such unauthorized access and potential data breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity and availability.

Exploitation of this vulnerability could result in confidentiality, integrity, and availability violations, which are critical factors in regulatory compliance.

Useful 0 Not Useful 0