CVE-2026-33482— AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33482
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0及之前版本存在操作系统命令注入漏洞,该漏洞源于sanitizeFFmpegCommand函数未能过滤bash命令替换语法,可能导致OS命令注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33482
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33482
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-03-23 · 34 CVEs total
| CVE-2026-33478 | 10.0 CRITICAL | AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, |
| CVE-2026-33352 | 9.8 CRITICAL | AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escap |
| CVE-2026-33716 | 9.4 CRITICAL | AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in c |
| CVE-2026-33502 | 9.3 CRITICAL | AVideo has Unauthenticated SSRF via plugin/Live/test.php |
| CVE-2026-33351 | 9.1 CRITICAL | AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaini |
| CVE-2026-33507 | 8.8 HIGH | AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Exec |
| CVE-2026-33717 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloa |
| CVE-2026-33647 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fil |
| CVE-2026-33648 | 8.8 HIGH | AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionH |
| CVE-2026-33479 | 8.8 HIGH | AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through |
| CVE-2026-33719 | 8.6 HIGH | AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypa |
| CVE-2026-33513 | 8.6 HIGH | AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writab |
| CVE-2026-33480 | 8.6 HIGH | AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated Live |
| CVE-2026-33651 | 8.1 HIGH | AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_i |
| CVE-2026-33649 | 8.1 HIGH | AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitra |
| CVE-2026-33354 | 7.6 HIGH | AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `a |
| CVE-2026-33650 | 7.6 HIGH | AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vid |
| CVE-2026-33485 | 7.5 HIGH | AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream N |
| CVE-2026-33483 | 7.5 HIGH | AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation |
| CVE-2026-33512 | 7.5 HIGH | AVideo has an unauthenticated decrypt oracle leaking any ciphertext |
Showing top 20 of 34 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-78
- CVE-2026-8273
D-Link DNS-320 system_mgr.cgi cgi_merge_user os command inje - CVE-2026-8272
D-Link DNS-320 webfile_mgr.cgi chown os command injection - CVE-2026-8271
D-Link DNS-320 network_mgr.cgi cgi_upnp_edit os command inje - CVE-2026-8265
Tenda AC6 httpd getLogFile get_log_file os command injection - CVE-2026-8264
Tenda AC6 httpd WifiApScan formWifiApScan os command injecti
V. Comments for CVE-2026-33482
No comments yet