CVE-2026-29058
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Description
## Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. ## Root Cause The `base64Url` parameter is Base64-decoded and then interpolated directly into a double-quoted `ffmpeg` shell command without proper shell escaping. The upstream validation uses `FILTER_VALIDATE_URL`, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell. ## Affected Components * `objects/getImage.php` * `objects/security.php` * Execution path via async command execution helper (`shell_exec`/`nohup`) ## Patches Apply strict shell argument escaping (e.g., `escapeshellarg()`) to all user-supplied values before building any shell command, and avoid double-quoted interpolation of untrusted input. Prefer safer process execution patterns where possible. ## Workarounds * Restrict access to `objects/getImage.php` at the web server / reverse proxy layer (IP allowlist, auth, or disable endpoint if not needed). * Apply WAF rules to block suspicious patterns and limit exposure until a patch is deployed. ## Resources * Report: "Unauthenticated OS Command Injection in AVideo-Encoder"
How to fix CVE-2026-29058
To remediate CVE-2026-29058, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.0 or later
Is CVE-2026-29058 being exploited?
Likely — EPSS is 51.8%, placing CVE-2026-29058 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 7.0.0