GHSA-9J26-99JH-V26Q

Vulnerability from github – Published: 2026-03-03 20:02 – Updated: 2026-03-06 21:56
VLAI?
Summary
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Details

Impact

An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.

Root Cause

The base64Url parameter is Base64-decoded and then interpolated directly into a double-quoted ffmpeg shell command without proper shell escaping. The upstream validation uses FILTER_VALIDATE_URL, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell.

Affected Components

  • objects/getImage.php
  • objects/security.php
  • Execution path via async command execution helper (shell_exec/nohup)

Patches

Apply strict shell argument escaping (e.g., escapeshellarg()) to all user-supplied values before building any shell command, and avoid double-quoted interpolation of untrusted input. Prefer safer process execution patterns where possible.

Workarounds

  • Restrict access to objects/getImage.php at the web server / reverse proxy layer (IP allowlist, auth, or disable endpoint if not needed).
  • Apply WAF rules to block suspicious patterns and limit exposure until a patch is deployed.

Resources

  • Report: "Unauthenticated OS Command Injection in AVideo-Encoder"
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T20:02:40Z",
    "nvd_published_at": "2026-03-06T07:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\nAn unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.\n\n## Root Cause\n\nThe `base64Url` parameter is Base64-decoded and then interpolated directly into a double-quoted `ffmpeg` shell command without proper shell escaping. The upstream validation uses `FILTER_VALIDATE_URL`, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell.\n\n## Affected Components\n\n* `objects/getImage.php`\n* `objects/security.php`\n* Execution path via async command execution helper (`shell_exec`/`nohup`)\n\n## Patches\n\nApply strict shell argument escaping (e.g., `escapeshellarg()`) to all user-supplied values before building any shell command, and avoid double-quoted interpolation of untrusted input. Prefer safer process execution patterns where possible.\n\n## Workarounds\n\n* Restrict access to `objects/getImage.php` at the web server / reverse proxy layer (IP allowlist, auth, or disable endpoint if not needed).\n* Apply WAF rules to block suspicious patterns and limit exposure until a patch is deployed.\n\n## Resources\n\n* Report: \"Unauthenticated OS Command Injection in AVideo-Encoder\"",
  "id": "GHSA-9j26-99jh-v26q",
  "modified": "2026-03-06T21:56:49Z",
  "published": "2026-03-03T20:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29058"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo-Encoder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.