{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33482/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","command-injection","cve-2026-33482","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, contains an OS command injection vulnerability (CVE-2026-33482) affecting versions up to and including 26.0. The vulnerability resides within the \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function located in \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e. This function is intended to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters. However, it fails to properly sanitize the \u003ccode\u003e$()\u003c/code\u003e bash command substitution syntax. This oversight allows attackers who can craft a valid encrypted payload to achieve arbitrary command execution on the standalone encoder server due to the use of \u003ccode\u003esh -c\u003c/code\u003e within \u003ccode\u003eexecAsync()\u003c/code\u003e. The vulnerability was patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Exploitation requires the attacker to be able to craft a valid encrypted payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious encrypted payload containing a command injection payload leveraging the \u003ccode\u003e$()\u003c/code\u003e bash command substitution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or injects this payload into the AVideo platform.\u003c/li\u003e\n\u003cli\u003eAVideo processes the malicious payload, passing it to the \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function fails to properly sanitize the \u003ccode\u003e$()\u003c/code\u003e bash command substitution syntax within the payload.\u003c/li\u003e\n\u003cli\u003eThe unsanitized command is then executed within a double-quoted \u003ccode\u003esh -c\u003c/code\u003e context in the \u003ccode\u003eexecAsync()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh -c\u003c/code\u003e interpreter executes the injected command, resulting in arbitrary code execution on the standalone encoder server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo standalone encoder server. This can lead to complete system compromise, including data exfiltration, modification, or deletion. Given the nature of AVideo as a video platform, attackers could also inject malicious content into videos served by the platform, potentially affecting a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 to remediate CVE-2026-33482.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo Command Injection Attempt\u0026quot; to detect potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing shell metacharacters, especially \u003ccode\u003e$()\u003c/code\u003e, targeting the \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/","summary":"AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.","title":"AVideo OS Command Injection Vulnerability (CVE-2026-33482)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33482","version":"https://jsonfeed.org/version/1.1"}