CVE-2026-63305
WWBN · AVideo
AVideo versions 29.0 and earlier contain an OS command injection vulnerability in the ffmpeg-json.php file, enabling unauthenticated attackers to execute arbitrary commands.
Executive summary
An OS command injection vulnerability in WWBN AVideo allows unauthenticated remote attackers to execute arbitrary commands, creating a high risk of total system compromise.
Vulnerability
This is an OS command injection vulnerability (CWE-78) located in the ffmpeg-json.php file. It permits an unauthenticated attacker to manipulate input parameters to execute arbitrary system commands.
Business impact
The impact of this vulnerability is significant, as it allows for full system control if the application server is compromised. This could result in unauthorized data exfiltration, service disruption, or the installation of persistent malicious backdoors. The CVSS score of 8.1 underscores the high risk posed to the confidentiality and integrity of the affected environment.
Remediation
Immediate Action: Check the vendor GitHub repository for security patches and apply them as soon as they become available.
Proactive Monitoring: Inspect application logs for unusual request patterns targeting ffmpeg-json.php, particularly those containing shell characters or unexpected input lengths.
Compensating Controls: Utilize a Web Application Firewall to filter and block malicious traffic directed at the vulnerable PHP endpoint.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Organizations utilizing AVideo should treat this vulnerability as high priority. Administrators must monitor vendor channels for the release of a patch and ensure that adequate perimeter defenses are in place to mitigate potential exploitation attempts.