{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41064/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-41064"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-41064","avideo","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to an unauthenticated remote code execution (RCE) flaw. This vulnerability, identified as CVE-2026-41064, exists in versions up to and including 29.0. The root cause is an incomplete fix applied to the \u003ccode\u003etest.php\u003c/code\u003e file. While the fix implemented \u003ccode\u003eescapeshellarg\u003c/code\u003e for the \u003ccode\u003ewget\u003c/code\u003e command, it neglected to sanitize input for the \u003ccode\u003efile_get_contents\u003c/code\u003e and \u003ccode\u003ecurl\u003c/code\u003e code paths. Additionally, the URL validation regex \u003ccode\u003e/^http/\u003c/code\u003e is overly permissive, accepting malicious strings such as \u003ccode\u003ehttpevil[.]com\u003c/code\u003e. Successful exploitation allows attackers to execute arbitrary commands on the server hosting the AVideo platform. The recommended remediation is to apply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted HTTP request to the \u003ccode\u003etest.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious URL, designed to exploit the insufficient input validation in the \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e code paths. For example, using \u003ccode\u003ehttpevil[.]com\u003c/code\u003e to bypass the regex check \u003ccode\u003e/^http/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etest.php\u003c/code\u003e script processes the request, attempting to retrieve content from the attacker-controlled URL using either \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper sanitization, the malicious URL is interpreted as an OS command.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied OS command.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities, such as installing malware, stealing sensitive data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41064) grants unauthenticated attackers the ability to execute arbitrary code on the affected AVideo server. This can lead to complete compromise of the server, including data theft, defacement, or use as a staging ground for further attacks. Given the platform\u0026rsquo;s use in video hosting, successful attacks could impact numerous users and content creators relying on the vulnerable AVideo instance. The vulnerable regex \u003ccode\u003e/^http/\u003c/code\u003e and unsanitized functions leave the server open to mass exploitation if exposed to the public internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 to fully address the input validation issue in \u003ccode\u003etest.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AVideo test.php Command Injection Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003etest.php\u003c/code\u003e containing suspicious URLs, especially those matching the \u003ccode\u003ehttpevil[.]com\u003c/code\u003e pattern as documented in the IOCs.\u003c/li\u003e\n\u003cli\u003eImplement a more robust URL validation mechanism that properly sanitizes input before passing it to \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T00:16:28Z","date_published":"2026-04-22T00:16:28Z","id":"/briefs/2026-04-avideo-rce/","summary":"WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.","title":"WWBN AVideo Unauthenticated Remote Code Execution via test.php","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41064","version":"https://jsonfeed.org/version/1.1"}