{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33482", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.970Z", "datePublished": "2026-03-23T14:10:10.157Z", "dateUpdated": "2026-03-23T18:08:31.712Z"}, "containers": {"cna": {"title": "AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c"}, {"name": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:10:10.157Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch."}], "source": {"advisory": "GHSA-pmj8-r2j7-xg6c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:59:51.056736Z", "id": "CVE-2026-33482", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:08:31.712Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33482", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T17:59:51.056736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:08:13.125Z"}}], "cna": {"title": "AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()", "source": {"advisory": "GHSA-pmj8-r2j7-xg6c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1", "name": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:10:10.157Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33482", "state": "PUBLISHED", "dateUpdated": "2026-03-23T18:08:31.712Z", "dateReserved": "2026-03-20T16:16:48.970Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T14:10:10.157Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n 'sanitizeFFmpegCommand()' en 'plugin/API/standAlone/functions.php' est\u00e1 dise\u00f1ada para prevenir la inyecci\u00f3n de comandos del sistema operativo en comandos ffmpeg eliminando metacaracteres peligrosos del shell ('&amp;&amp;', ';', '|', '`', '&lt;', '&gt;'). Sin embargo, no logra eliminar '$()' (sintaxis de sustituci\u00f3n de comandos de bash). Dado que el comando saneado se ejecuta dentro de un contexto 'sh -c' entre comillas dobles en 'execAsync()', un atacante que puede crear una carga \u00fatil cifrada v\u00e1lida puede lograr la ejecuci\u00f3n arbitraria de comandos en el servidor codificador independiente. El commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contiene un parche."}], "id": "CVE-2026-33482", "lastModified": "2026-03-24T18:41:00.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T15:16:34.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T20:54:40.335792+00:00", "value": {"mitigation_remediation": ["Apply the security fix from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 or upgrade to a newer AVideo release that includes the patch", "Restrict external access to the standalone encoder server to trusted administrators and monitor logs for suspicious encrypted payload activity", "If ffmpeg command execution is not required for normal operation, disable or remove the functionality to eliminate the attack surface"], "summary": {"action": "Patch Immediately", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is WWBN, product AVideo. Versions up to and including 26.0 contain the vulnerability; newer releases include the patched implementation.", "description_and_impact": "An open\u2011source video platform contains a flaw in the sanitizeFFmpegCommand() function that removes many shell metacharacters but fails to strip the Bash command substitution syntax $(). The sanitized command is executed via sh -c inside execAsync(), so a crafted encrypted ffmpeg payload can cause arbitrary command execution on the standalone encoder server, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. EPSS is below 1%, suggesting low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. If the standalone encoder is accessible from the internet or an attacker can submit a valid encrypted ffmpeg payload, execution of arbitrary shell commands is possible, implying a remote attack vector."}}}}, "created": "2026-03-24T10:33:46.680266+00:00", "updated": "2026-03-25T21:28:02.443932+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}