{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/avideo-through-29.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-63304"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo (through 29.0)"],"_cs_severities":["high"],"_cs_tags":["os-command-injection","rce","web-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eAVideo, a video content management system, through version 29.0, contains a critical OS command injection vulnerability, tracked as CVE-2026-63304. This flaw resides in the \u003ccode\u003elistFFmpegProcesses()\u003c/code\u003e function, located in \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e. The vulnerability arises because the function incorrectly interpolates unsanitized keyword parameters inside single quotes without proper escaping, specifically within a \u003ccode\u003egrep\u003c/code\u003e command context. Threat actors capable of crafting a valid encrypted \u003ccode\u003ecodeToExec\u003c/code\u003e payload can exploit this weakness to break out of the single-quoted context. This allows them to inject and execute arbitrary operating system commands with the privileges of the web-server user, posing a significant risk of remote code execution, data compromise, and full system control. The vulnerability was published by NVD on July 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a publicly accessible AVideo instance vulnerable to CVE-2026-63304 (versions up to 29.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially designed, encrypted \u003ccode\u003ecodeToExec\u003c/code\u003e payload containing OS command injection characters and desired commands.\u003c/li\u003e\n\u003cli\u003eThe payload is engineered to escape the single-quoted \u003ccode\u003egrep\u003c/code\u003e command context within the vulnerable \u003ccode\u003elistFFmpegProcesses()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAttacker sends an HTTP request (likely POST or GET, depending on parameter handling) to the \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e endpoint, including the malicious \u003ccode\u003ecodeToExec\u003c/code\u003e payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elistFFmpegProcesses()\u003c/code\u003e function receives and processes the request, incorporating the unsanitized \u003ccode\u003ecodeToExec\u003c/code\u003e parameter into an internal \u003ccode\u003egrep\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper escaping, the injected commands break out of the \u003ccode\u003egrep\u003c/code\u003e context and are executed by the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe commands run with the privileges of the web-server user, enabling remote code execution on the AVideo server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63304 leads to arbitrary OS command execution on the AVideo server, operating under the privileges of the web-server user. This level of access grants attackers the ability to take full control of the compromised server, install backdoors, exfiltrate sensitive data, deface the website, or use the server as a platform for further attacks on the internal network. The high CVSS score of 8.1 reflects the severe consequences of this vulnerability, which can lead to complete compromise of confidentiality, integrity, and availability of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-63304 on all AVideo instances immediately by upgrading to a patched version or applying vendor-recommended fixes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts at exploiting OS command injection patterns in web requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e containing unusual characters or patterns indicative of command injection as described in the \u003ccode\u003eDetects CVE-2026-63304 Exploitation\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eReview network firewall and web application firewall (WAF) logs for indicators of attacks against the \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T13:20:36Z","date_published":"2026-07-16T13:20:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-avideo-command-injection/","summary":"AVideo versions up to and including 29.0 are vulnerable to an OS command injection (CVE-2026-63304) in the `listFFmpegProcesses()` function within `plugin/API/standAlone/functions.php`, allowing attackers to craft an encrypted `codeToExec` payload to bypass single-quote escaping and execute arbitrary operating system commands as the web-server user, leading to remote code execution.","title":"AVideo OS Command Injection Vulnerability (CVE-2026-63304)","url":"https://feed.craftedsignal.io/briefs/2026-07-avideo-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - AVideo (Through 29.0)","version":"https://jsonfeed.org/version/1.1"}