AVideo CloneSite Flaws Enable File Deletion and Unauthenticated RCE
WWBN AVideo was found to contain multiple high-severity flaws in its CloneSite plugin that can be abused for destructive attacks and full server compromise. One issue, tracked as CVE-2026-33293, affects versions prior to 26.0 and allows arbitrary file deletion through path traversal in the deleteDump parameter of plugin/CloneSite/cloneServer.json.php. Because the value was passed directly to unlink() without sanitization, an attacker with valid clone credentials could use ../../ sequences to remove arbitrary files such as configuration.php, causing denial of service and potentially weakening other protections.
A second issue, CVE-2026-33478, describes a broader attack chain in AVideo versions up to and including 26.0 that can lead to unauthenticated remote code execution. The clones.json.php endpoint exposed clone secret keys without authentication, which could then be used to trigger a full database dump via cloneServer.json.php; the dump reportedly included admin password hashes stored as MD5, enabling attackers to recover credentials and gain administrative access. From there, an OS command injection flaw in cloneClient.json.php involving rsync command construction could be used to execute arbitrary system commands. The vulnerabilities were mapped to CWE-22, CWE-78, and CWE-284, and fixes were released by WWBN, including a patch referenced in commit c85d076375fab095a14170df7ddb27058134d38c.
Timeline
Apr 22, 2026
CVE-2026-41304 published for AVideo CloneSite command injection RCE
A new CVE, CVE-2026-41304, was published for WWBN AVideo describing a remote code execution flaw in the CloneSite plugin. In version 29.0 and earlier, cloneServer.json.php built and executed a wget shell command from the unsanitized url parameter, and the issue was fixed in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
Mar 23, 2026
WWBN patches AVideo unauthenticated multi-chain RCE
WWBN provided a patch for the CloneSite multi-chain remote code execution issue in commit c85d076375fab095a14170df7ddb27058134d38c. The vulnerability affected AVideo versions up to and including 26.0 and enabled unauthenticated attackers to reach OS command execution.
Mar 23, 2026
GitHub Security Advisories receives AVideo multi-chain RCE report
GitHub Security Advisories received a report describing a multi-step attack in AVideo's CloneSite plugin that could lead to unauthenticated remote code execution through clone key disclosure, database dump access, cracked admin hashes, and command injection.
Mar 22, 2026
WWBN fixes arbitrary file deletion flaw in AVideo 26.0
WWBN addressed a path traversal issue in the CloneSite plugin by releasing AVideo version 26.0. The flaw allowed authenticated users with clone credentials to use the deleteDump parameter to delete arbitrary files via unsanitized paths.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
1 months ago
AVideo Flaws Enable Unauthenticated Takeover and SSRF on Exposed Deployments
WWBN **AVideo** versions `25.0` and earlier were found to contain two high-severity vulnerabilities that can be exploited without authentication. `CVE-2026-33038` allows full application takeover on uninitialized deployments because the exposed `install/checkConfiguration.php` endpoint can accept unauthenticated `POST` data to complete setup, create an administrator account, configure the database, and write the application's configuration file. Systems that have not yet created `videos/configuration.php` are especially at risk, as an attacker can initialize the platform with attacker-controlled credentials and infrastructure, gaining full administrative access. A second flaw, `CVE-2026-33039`, affects the `plugin/LiveLinks/proxy.php` endpoint and enables **server-side request forgery (SSRF)** through an HTTP redirect bypass. AVideo validates only the initial user-supplied URL, but does not re-validate redirect targets fetched by the proxy logic, allowing attackers to reach internal resources such as **RFC1918** addresses and cloud metadata services. Both issues were addressed in **AVideo `26.0`**, with the takeover bug classified as `CWE-306` and the SSRF bug as `CWE-918`.
1 weeks ago
Unauthenticated OS Command Injection in AVideo via `base64Url` Parameter
A critical, **zero-click unauthenticated OS command injection** vulnerability was disclosed in the open-source video hosting/streaming platform **AVideo**, tracked as **CVE-2026-29058**. The flaw affects versions **prior to 7.0** (including **6.0**) and allows remote attackers to execute arbitrary operating system commands on the server without user interaction or prior privileges, creating a path to **full server compromise**, **data exfiltration** (e.g., configuration secrets, internal keys, credentials), and **service disruption**. The issue stems from `objects/getImage.php`, where attacker-controlled input in the `base64Url` GET parameter is Base64-decoded and incorporated into a double-quoted `ffmpeg` shell command without proper escaping/neutralization of shell metacharacters and command substitution (CWE-78). The vulnerability was reported by security researcher **Arkmarta**, and remediation is available by upgrading to **AVideo 7.0 or later**, which includes the official patch.
1 months ago