WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
References
| Link | Resource |
|---|---|
| https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb | Patch |
| https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp | Exploit Mitigation Vendor Advisory |
| https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp | Exploit Mitigation Vendor Advisory |
Configurations
History
24 Apr 2026, 15:11
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| First Time |
Wwbn
Wwbn avideo |
|
| References | () https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb - Patch | |
| References | () https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp - Exploit, Mitigation, Vendor Advisory | |
| CPE | cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* |
22 Apr 2026, 19:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp - |
22 Apr 2026, 00:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-22 00:16
Updated : 2026-04-24 15:11
NVD link : CVE-2026-41304
Mitre link : CVE-2026-41304
CVE.ORG link : CVE-2026-41304
JSON object : View
Products Affected
wwbn
- avideo
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')