AVideo OS Command Injection Vulnerability (CVE-2026-63304)
AVideo versions up to and including 29.0 are vulnerable to an OS command injection (CVE-2026-63304) in the `listFFmpegProcesses()` function within `plugin/API/standAlone/functions.php`, allowing attackers to craft an encrypted `codeToExec` payload to bypass single-quote escaping and execute arbitrary operating system commands as the web-server user, leading to remote code execution.
AVideo, a video content management system, through version 29.0, contains a critical OS command injection vulnerability, tracked as CVE-2026-63304. This flaw resides in the listFFmpegProcesses() function, located in plugin/API/standAlone/functions.php. The vulnerability arises because the function incorrectly interpolates unsanitized keyword parameters inside single quotes without proper escaping, specifically within a grep command context. Threat actors capable of crafting a valid encrypted codeToExec payload can exploit this weakness to break out of the single-quoted context. This allows them to inject and execute arbitrary operating system commands with the privileges of the web-server user, posing a significant risk of remote code execution, data compromise, and full system control. The vulnerability was published by NVD on July 16, 2026.
Attack Chain
- Attacker identifies a publicly accessible AVideo instance vulnerable to CVE-2026-63304 (versions up to 29.0).
- Attacker crafts a specially designed, encrypted
codeToExecpayload containing OS command injection characters and desired commands. - The payload is engineered to escape the single-quoted
grepcommand context within the vulnerablelistFFmpegProcesses()function. - Attacker sends an HTTP request (likely POST or GET, depending on parameter handling) to the
plugin/API/standAlone/functions.phpendpoint, including the maliciouscodeToExecpayload. - The
listFFmpegProcesses()function receives and processes the request, incorporating the unsanitizedcodeToExecparameter into an internalgrepcommand. - Due to the lack of proper escaping, the injected commands break out of the
grepcontext and are executed by the underlying operating system. - The commands run with the privileges of the web-server user, enabling remote code execution on the AVideo server.
Impact
Successful exploitation of CVE-2026-63304 leads to arbitrary OS command execution on the AVideo server, operating under the privileges of the web-server user. This level of access grants attackers the ability to take full control of the compromised server, install backdoors, exfiltrate sensitive data, deface the website, or use the server as a platform for further attacks on the internal network. The high CVSS score of 8.1 reflects the severe consequences of this vulnerability, which can lead to complete compromise of confidentiality, integrity, and availability of the affected system.
Recommendation
- Patch CVE-2026-63304 on all AVideo instances immediately by upgrading to a patched version or applying vendor-recommended fixes.
- Deploy the Sigma rule provided in this brief to your SIEM to detect attempts at exploiting OS command injection patterns in web requests.
- Monitor web server access logs for requests to
plugin/API/standAlone/functions.phpcontaining unusual characters or patterns indicative of command injection as described in theDetects CVE-2026-63304 Exploitationrule. - Review network firewall and web application firewall (WAF) logs for indicators of attacks against the
plugin/API/standAlone/functions.phpendpoint.
Detection coverage 1
Detects CVE-2026-63304 Exploitation - AVideo OS Command Injection
highDetects CVE-2026-63304 exploitation attempts by identifying HTTP requests to the vulnerable AVideo endpoint with OS command injection patterns in query parameters.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | https://github.com/WWBN/AVideo/security/advisories/GHSA-j44m-77cc-p3cc |
| url | https://www.vulncheck.com/advisories/avideo-through-os-command-injection-via-listffmpegprocesses |