Product
AVideo versions up to and including 29.0 are vulnerable to an OS command injection (CVE-2026-63304) in the `listFFmpegProcesses()` function within `plugin/API/standAlone/functions.php`, allowing attackers to craft an encrypted `codeToExec` payload to bypass single-quote escaping and execute arbitrary operating system commands as the web-server user, leading to remote code execution.