<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33482 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33482/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33482/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo OS Command Injection Vulnerability (CVE-2026-33482)</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/</guid><description>AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, contains an OS command injection vulnerability (CVE-2026-33482) affecting versions up to and including 26.0. The vulnerability resides within the <code>sanitizeFFmpegCommand()</code> function located in <code>plugin/API/standAlone/functions.php</code>. This function is intended to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters. However, it fails to properly sanitize the <code>$()</code> bash command substitution syntax. This oversight allows attackers who can craft a valid encrypted payload to achieve arbitrary command execution on the standalone encoder server due to the use of <code>sh -c</code> within <code>execAsync()</code>. The vulnerability was patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Exploitation requires the attacker to be able to craft a valid encrypted payload.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious encrypted payload containing a command injection payload leveraging the <code>$()</code> bash command substitution.</li>
<li>The attacker uploads or injects this payload into the AVideo platform.</li>
<li>AVideo processes the malicious payload, passing it to the <code>sanitizeFFmpegCommand()</code> function.</li>
<li>The <code>sanitizeFFmpegCommand()</code> function fails to properly sanitize the <code>$()</code> bash command substitution syntax within the payload.</li>
<li>The unsanitized command is then executed within a double-quoted <code>sh -c</code> context in the <code>execAsync()</code> function.</li>
<li>The <code>sh -c</code> interpreter executes the injected command, resulting in arbitrary code execution on the standalone encoder server.</li>
<li>The attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo standalone encoder server. This can lead to complete system compromise, including data exfiltration, modification, or deletion. Given the nature of AVideo as a video platform, attackers could also inject malicious content into videos served by the platform, potentially affecting a large number of users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 to remediate CVE-2026-33482.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo Command Injection Attempt&quot; to detect potential exploitation attempts in web server logs.</li>
<li>Monitor web server logs for suspicious requests containing shell metacharacters, especially <code>$()</code>, targeting the <code>plugin/API/standAlone/functions.php</code> path.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>command-injection</category><category>cve-2026-33482</category><category>webserver</category></item></channel></rss>