CVE-2026-33482

HighPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` `…

``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the incomplete sanitization of $() in sanitizeFFmpegCommand(), directly mitigated by applying the available patch.

SI-10 Information Input Validation good match

prevent

Mandates information input validation at entry points, preventing OS command injection by ensuring crafted payloads with bash $() substitution are rejected or sanitized before reaching execAsync().

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Requires vulnerability scanning that identifies OS command injection flaws like CVE-2026-33482, enabling proactive remediation before exploitation on the standalone encoder server.

Security SummaryAI

CVE-2026-33482 is an OS command injection vulnerability (CWE-78) in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0, specifically the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php`. This function strips certain shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`) to prevent command injection in FFmpeg commands but fails to remove `$()` bash command substitution syntax.

An unauthenticated remote attacker (PR:N) with network access can exploit this by crafting a valid encrypted payload, as indicated by the CVSS v3.1 score of 8.1 (AV:N/AC:H/UI:N/S:U/C:H/I:H/A:H). The payload bypasses sanitization because the command is executed in a double-quoted `sh -c` context via `execAsync()`, enabling arbitrary command execution on the standalone encoder server.

The vulnerability is patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Further details on the issue and remediation are available in the GitHub security advisory at GHSA-pmj8-r2j7-xg6c.

Details

CWE(s): CWE-78

Affected Products

wwbn

avideo

≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Direct unauthenticated RCE via command injection in public-facing web app (T1190) using unsanitized $() in sh -c context (T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com