{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41064", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T23:04:32.047Z", "dateUpdated": "2026-04-22T18:09:42.398Z"}, "containers": {"cna": {"title": "AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"}, {"name": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3"}, {"name": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:04:32.047Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix."}], "source": {"advisory": "GHSA-pq8p-wc4f-vg7j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:09:16.244619Z", "id": "CVE-2026-41064", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:09:42.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41064", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:09:16.244619Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:09:36.932Z"}}], "cna": {"title": "AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)", "source": {"advisory": "GHSA-pq8p-wc4f-vg7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3", "name": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536", "name": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:04:32.047Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41064", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:09:42.398Z", "dateReserved": "2026-04-16T16:43:03.173Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T23:04:32.047Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix."}], "id": "CVE-2026-41064", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.187", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T06:12:26.031185+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to the fixed version that includes commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 or later, ensuring the file_get_contents and curl code paths are properly sanitized.", "If an upgrade cannot be performed immediately, restrict or disable external access to the test.php endpoint to prevent exploitation.", "Enforce stricter URL validation by rejecting patterns like httpevil.com and ensuring that only properly formed HTTP/HTTPS addresses are allowed in the input."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "AVideo, an open\u2011source video platform developed by WWBN, is affected for all releases up to and including version 29.0. The fix addressed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 removes the unsanitized code paths and is present in newer releases.", "description_and_impact": "The vulnerability arises from an incomplete sanitization of external URLs within AVideo's test.php. While the wget pathway now applies escapeshellarg, the file_get_contents and curl calls remain unsanitized, permitting an attacker to embed shell commands in specially crafted URLs such as httpevil.com. This flaw enables full remote command execution on the host, compromising confidentiality, integrity, and availability through CWE\u201178.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical vulnerability. EPSS data is presently unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation requires an externally reachable HTTP request to test.php with a malicious URL as input. Once the vulnerable code executes, an attacker achieves full command execution, making the risk high for exposed deployments."}}}}, "created": "2026-04-22T01:30:05.071403+00:00", "updated": "2026-04-22T06:15:10.418433+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}