CVE-2026-63305

WWBN · AVideo

AVideo versions 29.0 and earlier contain an OS command injection vulnerability in the ffmpeg-json.php file, enabling unauthenticated attackers to execute arbitrary commands.

Executive summary

An OS command injection vulnerability in WWBN AVideo allows unauthenticated remote attackers to execute arbitrary commands, creating a high risk of total system compromise.

Vulnerability

This is an OS command injection vulnerability (CWE-78) located in the ffmpeg-json.php file. It permits an unauthenticated attacker to manipulate input parameters to execute arbitrary system commands.

Business impact

The impact of this vulnerability is significant, as it allows for full system control if the application server is compromised. This could result in unauthorized data exfiltration, service disruption, or the installation of persistent malicious backdoors. The CVSS score of 8.1 underscores the high risk posed to the confidentiality and integrity of the affected environment.

Remediation

Immediate Action: Check the vendor GitHub repository for security patches and apply them as soon as they become available.

Proactive Monitoring: Inspect application logs for unusual request patterns targeting ffmpeg-json.php, particularly those containing shell characters or unexpected input lengths.

Compensating Controls: Utilize a Web Application Firewall to filter and block malicious traffic directed at the vulnerable PHP endpoint.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Organizations utilizing AVideo should treat this vulnerability as high priority. Administrators must monitor vendor channels for the release of a patch and ensure that adequate perimeter defenses are in place to mitigate potential exploitation attempts.