Search criteria
6 vulnerabilities found for AVideo-Encoder by WWBN
CVE-2026-33025 (GCVE-0-2026-33025)
Vulnerability from nvd – Published: 2026-03-20 05:02 – Updated: 2026-03-20 13:53
VLAI?
Title
AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause
Summary
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:52:58.726958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:53:06.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST[\u0027sort\u0027] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:02:09.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"
},
{
"name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"
}
],
"source": {
"advisory": "GHSA-5qvj-5h75-27pj",
"discovery": "UNKNOWN"
},
"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33025",
"datePublished": "2026-03-20T05:02:09.501Z",
"dateReserved": "2026-03-17T17:22:14.668Z",
"dateUpdated": "2026-03-20T13:53:06.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33024 (GCVE-0-2026-33024)
Vulnerability from nvd – Published: 2026-03-20 04:58 – Updated: 2026-03-20 18:08
VLAI?
Title
AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator
Summary
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:29:04.627265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:08:08.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T04:58:47.845Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"
},
{
"name": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"
}
],
"source": {
"advisory": "GHSA-h9gh-866r-6vgq",
"discovery": "UNKNOWN"
},
"title": "AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33024",
"datePublished": "2026-03-20T04:58:47.845Z",
"dateReserved": "2026-03-17T17:22:14.668Z",
"dateUpdated": "2026-03-20T18:08:08.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29058 (GCVE-0-2026-29058)
Vulnerability from nvd – Published: 2026-03-06 07:08 – Updated: 2026-03-09 20:01
VLAI?
Title
AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
Summary
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Severity ?
9.8 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:00:48.141570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:01:00.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T07:08:26.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q"
}
],
"source": {
"advisory": "GHSA-9j26-99jh-v26q",
"discovery": "UNKNOWN"
},
"title": "AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29058",
"datePublished": "2026-03-06T07:08:26.844Z",
"dateReserved": "2026-03-03T17:50:11.244Z",
"dateUpdated": "2026-03-09T20:01:00.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33025 (GCVE-0-2026-33025)
Vulnerability from cvelistv5 – Published: 2026-03-20 05:02 – Updated: 2026-03-20 13:53
VLAI?
Title
AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause
Summary
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:52:58.726958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:53:06.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST[\u0027sort\u0027] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:02:09.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"
},
{
"name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"
}
],
"source": {
"advisory": "GHSA-5qvj-5h75-27pj",
"discovery": "UNKNOWN"
},
"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33025",
"datePublished": "2026-03-20T05:02:09.501Z",
"dateReserved": "2026-03-17T17:22:14.668Z",
"dateUpdated": "2026-03-20T13:53:06.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33024 (GCVE-0-2026-33024)
Vulnerability from cvelistv5 – Published: 2026-03-20 04:58 – Updated: 2026-03-20 18:08
VLAI?
Title
AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator
Summary
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:29:04.627265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:08:08.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T04:58:47.845Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"
},
{
"name": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"
}
],
"source": {
"advisory": "GHSA-h9gh-866r-6vgq",
"discovery": "UNKNOWN"
},
"title": "AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33024",
"datePublished": "2026-03-20T04:58:47.845Z",
"dateReserved": "2026-03-17T17:22:14.668Z",
"dateUpdated": "2026-03-20T18:08:08.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29058 (GCVE-0-2026-29058)
Vulnerability from cvelistv5 – Published: 2026-03-06 07:08 – Updated: 2026-03-09 20:01
VLAI?
Title
AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
Summary
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Severity ?
9.8 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WWBN | AVideo-Encoder |
Affected:
< 7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:00:48.141570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:01:00.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo-Encoder",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T07:08:26.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q"
}
],
"source": {
"advisory": "GHSA-9j26-99jh-v26q",
"discovery": "UNKNOWN"
},
"title": "AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29058",
"datePublished": "2026-03-06T07:08:26.844Z",
"dateReserved": "2026-03-03T17:50:11.244Z",
"dateUpdated": "2026-03-09T20:01:00.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}