CVE-2026-63304

WWBN · AVideo

AVideo versions 29.0 and earlier are susceptible to an OS command injection vulnerability in the listffmpegprocesses function, which allows unauthenticated attackers to execute arbitrary commands.

Executive summary

A critical OS command injection vulnerability in WWBN AVideo allows unauthenticated attackers to execute arbitrary system commands, posing a severe risk to server integrity.

Vulnerability

This vulnerability is an OS command injection flaw (CWE-78) occurring within the listffmpegprocesses function. It allows an unauthenticated attacker to inject malicious commands into the underlying operating system.

Business impact

Successful exploitation of this vulnerability grants an attacker the ability to execute arbitrary code with the privileges of the web server. This could lead to a full compromise of the application server, unauthorized access to sensitive video content, or lateral movement within the network. With a CVSS score of 8.1, the high severity reflects the potential for total loss of confidentiality, integrity, and availability.

Remediation

Immediate Action: Review the official WWBN AVideo security advisory on GitHub to determine if a patched version has been released, and apply updates immediately.

Proactive Monitoring: Monitor server logs for suspicious process execution patterns or unexpected shell commands originating from the web server user account.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common OS command injection payloads, such as those involving shell metacharacters.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the high CVSS score and the existence of a proof-of-concept, this vulnerability warrants immediate attention. Security teams should prioritize patching or implementing protective WAF rules to prevent unauthorized command execution on the host system.