CVE-2026-29058
AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
In short
AVideo allows anyone to run dangerous commands on the server without logging in by sending specially crafted requests. An attacker can take control of the entire server, steal secrets, and shut down the service.
Technical detail
Unauthenticated OS command injection in objects/getImage.php via the base64Url GET parameter allows arbitrary shell command execution through command substitution. No authentication required; exploitation leads to complete server compromise, credential theft, and service disruption. Fixed in version 7.0.
Summary generated and translated by AI from the official description.
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
WWBN · AVideo-EncoderWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →