AVideo OS Command Injection Vulnerability (CVE-2026-33482)
AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.
AVideo, an open-source video platform, contains an OS command injection vulnerability (CVE-2026-33482) affecting versions up to and including 26.0. The vulnerability resides within the sanitizeFFmpegCommand() function located in plugin/API/standAlone/functions.php. This function is intended to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters. However, it fails to properly sanitize the $() bash command substitution syntax. This oversight allows attackers who can craft a valid encrypted payload to achieve arbitrary command execution on the standalone encoder server due to the use of sh -c within execAsync(). The vulnerability was patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Exploitation requires the attacker to be able to craft a valid encrypted payload.
Attack Chain
- An attacker crafts a malicious encrypted payload containing a command injection payload leveraging the
$()bash command substitution. - The attacker uploads or injects this payload into the AVideo platform.
- AVideo processes the malicious payload, passing it to the
sanitizeFFmpegCommand()function. - The
sanitizeFFmpegCommand()function fails to properly sanitize the$()bash command substitution syntax within the payload. - The unsanitized command is then executed within a double-quoted
sh -ccontext in theexecAsync()function. - The
sh -cinterpreter executes the injected command, resulting in arbitrary code execution on the standalone encoder server. - The attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further lateral movement.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo standalone encoder server. This can lead to complete system compromise, including data exfiltration, modification, or deletion. Given the nature of AVideo as a video platform, attackers could also inject malicious content into videos served by the platform, potentially affecting a large number of users.
Recommendation
- Apply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 to remediate CVE-2026-33482.
- Deploy the Sigma rule "Detect AVideo Command Injection Attempt" to detect potential exploitation attempts in web server logs.
- Monitor web server logs for suspicious requests containing shell metacharacters, especially
$(), targeting theplugin/API/standAlone/functions.phppath.
Detection coverage 2
Detect AVideo Command Injection Attempt
criticalDetects attempts to exploit the AVideo command injection vulnerability by looking for shell metacharacters, specifically '$()', in requests to the vulnerable function.
Detect AVideo Command Injection Exploit (POST Request)
criticalDetects potential command injection attempts in AVideo by identifying POST requests to the vulnerable endpoint containing the `'$()'` sequence, indicative of bash command substitution.
Detection queries are available on the platform. Get full rules →