CVE-2026-41304

CVE-2026-41304 is a command injection vulnerability in the WWBN AVideo open source video platform, affecting versions 29.0 and below. The issue resides in the `cloneServer.json.php` endpoint of the CloneSite plugin, where user-controlled input from the `url` parameter is unsanitized and directly concatenated into a `wget` command executed via PHP's `exec()` function. This allows attackers to inject arbitrary shell commands by escaping the URL context with shell metacharacters such as `;`, resulting in remote code execution (RCE) on the server. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection).

The attack requires no authentication (PR:N) and can be exploited remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). An unauthenticated attacker simply needs to send a malicious HTTP request to the vulnerable endpoint with a crafted `url` parameter, such as one appending shell commands after a semicolon, causing the server to execute arbitrary code alongside the intended `wget` download. Successful exploitation grants full RCE, enabling attackers to achieve high confidentiality, integrity, and availability impacts, such as data exfiltration, persistence, or server compromise.

Mitigation is available via a patch in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb, which addresses the unsanitized input handling. The GitHub security advisory GHSA-xr6f-h4x7-r6qp provides further details on the issue and remediation steps for AVideo users. Security practitioners should urge administrators to update to a patched version beyond 29.0 and review access to the CloneSite plugin endpoint.