CVE-2026-63305
Deferred Deferred - Pending Action

AVideo OS Command Injection via ffmpeg.json.php

Vulnerability report for CVE-2026-63305, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into these fields to execute OS commands as the web-server user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

AVideo version 29.0 and earlier has an OS command injection flaw in the ffmpeg.json.php endpoint. The vulnerability occurs because the notifyCode and callback parameters are directly concatenated into a shell command without proper escaping. Attackers who can create a valid encrypted payload can inject shell metacharacters into these parameters to execute arbitrary operating system commands with the privileges of the web server user.

Detection Guidance

Check if the AVideo application is running and accessible. Inspect network traffic for requests to the ffmpeg.json.php endpoint with notifyCode or callback parameters containing suspicious shell metacharacters or encrypted payloads.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on the server running AVideo. This could lead to full system compromise, data theft, unauthorized access, or disruption of services. If exploited, attackers may gain control over the server, install malware, or exfiltrate sensitive data.

Compliance Impact

This vulnerability can severely impact compliance with GDPR, HIPAA, and other regulations. It may result in unauthorized access to personal or sensitive data, leading to data breaches. Organizations could face legal penalties, fines, and reputational damage due to non-compliance with data protection requirements.

Mitigation Strategies

Update AVideo to the latest version beyond 29.0. Disable or restrict access to the ffmpeg.json.php endpoint if not needed. Implement input validation and sanitization for notifyCode and callback parameters to prevent command injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart