CVE-2026-33478 — AI Deep Analysis Summary

🚨 **Essence**: A critical vulnerability chain in WWBN AVideo's **CloneSite plugin**. 📉 **Consequences**: Unauthenticated attackers can achieve **Remote Code Execution (RCE)**.…

🛡️ **Root Cause**: **CWE-78 (OS Command Injection)**. The flaw lies in how the **rsync command** is constructed.…

👥 **Affected**: **WWBN AVideo** versions **26.0 and earlier**. 📦 **Component**: Specifically the **CloneSite plugin**. If you are running an older version, you are at risk.

💀 **Attacker Capabilities**: 1. **Leak Clone Keys**: Expose sensitive secrets. 2. **Database Dump**: Steal all user data. 3. **RCE**: Execute arbitrary commands on the server. 4.…

🔓 **Threshold**: **LOW**. - **Auth**: None required (Unauthenticated). - **Config**: Low complexity (AC:L). - **UI**: No user interaction needed (UI:N). 🚀 Easy to exploit remotely.

🔍 **Public Exp?**: **YES**. A Nuclei template is available on GitHub (ProjectDiscovery). Wild exploitation is likely imminent due to the ease of use and high impact.

🔎 **Self-Check**: 1. Scan for **AVideo** instances. 2. Check if **CloneSite plugin** is active. 3. Verify version is **≤ 26.0**. 4. Use the provided Nuclei template for automated detection.

✅ **Fixed?**: **YES**. The vendor has issued a security advisory (GHSA-687q-32c6-8x68) and a commit fix. Update to the latest version immediately to patch the OS injection flaw.

🚧 **No Patch?**: 1. **Disable** the CloneSite plugin immediately. 2. **Restrict** access to the AVideo installation via firewall. 3. **Monitor** logs for suspicious rsync or command execution attempts.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8+). Unauthenticated RCE is a top-priority threat. Patch **NOW** or isolate the system to prevent total compromise.