Cyber Posture

CVE-2026-33478

CriticalPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1218 93.9th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret…

more

keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation directly addresses the chain of vulnerabilities in the CloneSite plugin by applying the patch in commit c85d076375fab095a14170df7ddb27058134d38c.

SI-10 Information Input Validation good match
prevent

Information input validation prevents the OS command injection (CWE-78) in the rsync command construction within cloneClient.json.php.

AC-3 Access Enforcement good match
prevent

Access enforcement mechanisms would block unauthenticated access to sensitive endpoints like clones.json.php and cloneServer.json.php, breaking the initial exploitation chain (CWE-284).

Security SummaryAI

CVE-2026-33478 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability involves a chain of issues in the CloneSite plugin, including improper access control and OS command injection (CWE-284 and CWE-78), enabling remote code execution. Specifically, the clones.json.php endpoint exposes clone secret keys without authentication, cloneServer.json.php allows database dumps using those keys, and cloneClient.json.php suffers from command injection in rsync command construction. The issue has a CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

A completely unauthenticated attacker over the network can exploit this chain to achieve full remote code execution on the server. The process begins with retrieving secret keys from clones.json.php, using them to dump the database via cloneServer.json.php—which includes trivially crackable MD5 admin password hashes—gaining administrative access, and then injecting arbitrary OS commands through the rsync functionality in cloneClient.json.php.

The patch is available in commit c85d076375fab095a14170df7ddb27058134d38c on the AVideo GitHub repository. Additional details are provided in the GitHub Security Advisory GHSA-687q-32c6-8x68.

Details

CWE(s)
CWE-78CWE-284

Affected Products

wwbn
avideo
≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

T1190 for unauthenticated exploitation of public-facing web application; T1059.004 for OS command injection via rsync; T1552.001 for extracting unsecured credentials from database dump.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References