CVE-2026-33478— AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33478
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0及之前版本存在安全漏洞,该漏洞源于CloneSite插件中的多个漏洞链式结合,可能导致未经身份验证的攻击者实现远程代码执行,包括泄露克隆密钥、触发数据库转储和利用OS命令注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2026-33478
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-33478.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33478
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-03-23 · 34 CVEs total
| CVE-2026-33352 | 9.8 CRITICAL | AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escap |
| CVE-2026-33716 | 9.4 CRITICAL | AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in c |
| CVE-2026-33502 | 9.3 CRITICAL | AVideo has Unauthenticated SSRF via plugin/Live/test.php |
| CVE-2026-33351 | 9.1 CRITICAL | AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaini |
| CVE-2026-33507 | 8.8 HIGH | AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Exec |
| CVE-2026-33717 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloa |
| CVE-2026-33647 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fil |
| CVE-2026-33648 | 8.8 HIGH | AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionH |
| CVE-2026-33479 | 8.8 HIGH | AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through |
| CVE-2026-33719 | 8.6 HIGH | AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypa |
| CVE-2026-33513 | 8.6 HIGH | AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writab |
| CVE-2026-33480 | 8.6 HIGH | AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated Live |
| CVE-2026-33482 | 8.1 HIGH | AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegComm |
| CVE-2026-33651 | 8.1 HIGH | AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_i |
| CVE-2026-33649 | 8.1 HIGH | AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitra |
| CVE-2026-33354 | 7.6 HIGH | AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `a |
| CVE-2026-33650 | 7.6 HIGH | AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vid |
| CVE-2026-33485 | 7.5 HIGH | AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream N |
| CVE-2026-33512 | 7.5 HIGH | AVideo has an unauthenticated decrypt oracle leaking any ciphertext |
| CVE-2026-33483 | 7.5 HIGH | AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation |
Showing top 20 of 34 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-78
- CVE-2026-8273
D-Link DNS-320 system_mgr.cgi cgi_merge_user os command inje - CVE-2026-8272
D-Link DNS-320 webfile_mgr.cgi chown os command injection - CVE-2026-8271
D-Link DNS-320 network_mgr.cgi cgi_upnp_edit os command inje - CVE-2026-8265
Tenda AC6 httpd getLogFile get_log_file os command injection - CVE-2026-8264
Tenda AC6 httpd WifiApScan formWifiApScan os command injecti
V. Comments for CVE-2026-33478
No comments yet