CVE-2026-29058

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.5086 97.9th percentile

Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Description

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration…

(e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of untrusted inputs like the base64Url GET parameter to block shell metacharacters.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely flaw remediation by patching to AVideo version 7.0 where the issue is fixed.

SI-4 System Monitoring partial match

detect

Enables real-time monitoring to detect indicators of command injection exploitation such as anomalous OS command execution.

Security SummaryAI

CVE-2026-29058 is a critical command injection vulnerability (CWE-78) affecting AVideo, an open-source video-sharing platform software. Prior to version 7.0, the vulnerability enables unauthenticated attackers to execute arbitrary operating system commands on the server by injecting shell command substitution into the base64Url GET parameter. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility and no privileges required.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, without user interaction. Successful exploitation allows arbitrary OS command execution, potentially resulting in full server compromise, data exfiltration such as configuration secrets, internal keys, and credentials, as well as service disruption through denial-of-service actions.

The GitHub security advisory (GHSA-9j26-99jh-v26q) confirms the vulnerability has been addressed in AVideo version 7.0, recommending immediate upgrades to mitigate the risk. No workarounds are specified in available details.

Details

CWE(s): CWE-78

Affected Products

wwbn

avideo-encoder

≤ 7.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated RCE via command injection in public-facing web application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q
Mitigation, Vendor Advisory · security-advisories@github.com