CVE-2026-63304
Deferred Deferred - Pending Action

AVideo OS Command Injection via listFFmpegProcesses

Vulnerability report for CVE-2026-63304, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function interpolates unsanitized keyword parameters inside single quotes without escaping. Attackers who can craft a valid encrypted codeToExec payload can break out of the single-quoted grep context and execute arbitrary OS commands as the web-server user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

AVideo through version 29.0 has an OS command injection flaw in plugin/API/standAlone/functions.php. The listFFmpegProcesses() function inserts unsanitized keyword parameters into single quotes without escaping. Attackers can exploit this by crafting a valid encrypted codeToExec payload to break out of the grep context and run arbitrary OS commands as the web server user.

Detection Guidance

Check for suspicious processes or unusual command execution patterns in the web server logs. Look for grep commands with unexpected arguments or payloads in the plugin/API/standAlone/functions.php file. Monitor for unauthorized system commands executed by the web-server user.

Impact Analysis

This vulnerability allows attackers to execute arbitrary operating system commands on the server running AVideo. This could lead to full system compromise, data theft, unauthorized access, or disruption of services. The impact depends on the server's permissions and the attacker's goals.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR and HIPAA requirements for data protection and confidentiality. Organizations may face legal penalties, loss of trust, and compliance violations if exploited.

Mitigation Strategies

Update AVideo to the latest version beyond 29.0. If an update is unavailable, disable the vulnerable plugin/API functionality. Restrict web server user permissions to limit command execution scope. Review and sanitize all user inputs in the listFFmpegProcesses() function.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart