logo

Database

OS Command Injection In wwbn/avideo

Description

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary

The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com.

Affected Package

    Ecosystem: Other

    Package: AVideo

    Affected versions: < commit 1e6cf03e93b5

    Patched versions: >= commit 1e6cf03e93b5

Details

The vulnerable wget() function in plugin/Live/test.php:

function wget($url, $filename) {
    $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
    exec($cmd);
}

Neither $url nor $filename is passed through escapeshellarg(). The URL validation uses preg_match("/^http/", $url) which:

    Does not require :// (matches httpevil.com)

    Does not block shell metacharacters (;, backticks, $())

    Does not validate the URL is actually a URL

A payload like http://x; id > /tmp/pwned; echo passes the regex and injects arbitrary commands via the semicolons.

The fix adds escapeshellarg() for the wget path and an isAllowedStatsTestURL allowlist, but url_get_contents() (used by the same endpoint) still follows redirects without validation. The wget-specific fix does not protect the file_get_contents and curl code paths that handle the same user-supplied URL.

PoC

"""
CVE-2026-33502 - Command injection in AVideo plugin/Live/test.php

Tests REAL vulnerable code from:
  plugin/Live/test.php (commit pre-1e6cf03)

The vulnerable wget() function at the end of test.php:
  $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";...

Steps to reproduce:

    git clone https://github.com/WWBN/AVideo /tmp/AVideo_test

    cd /tmp/AVideo_test && git checkout 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3~1

    python3 poc.py

Expected output:

VULNERABILITY CONFIRMED
wget() uses unsanitized $url in shell command via exec(), and the URL regex /^http/ is too weak to prevent injection.

Impact

An unauthenticated attacker can achieve remote code execution on the AVideo server by sending a crafted URL to plugin/Live/test.php that injects shell commands via semicolons or backticks in the wget command line. This grants full server compromise -- the attacker can read database credentials, install backdoors, or pivot to internal systems.

Suggested Remediation

    Use escapeshellarg() on both $url and $filename in the wget() function.

    Strengthen the URL regex to require ^https?:// and reject shell metacharacters.

    Add authentication (User::isAdmin()) to the test.php endpoint.

    Apply escapeshellarg() consistently across all code paths (wget, curl, file_get_contents).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-410642. NVD-2026-335023. NVD-2026-410644. OSV-2026-410645. GHSA-3fpm-8rjr-v5mc6. GHSA-pq8p-wc4f-vg7j7. GCVE-2026-41064

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc2. https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j3. https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab34. https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-Y6UX5 – Vulnerability | Fluid Attacks Database