Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2026-41064
Critical
Low
Medium
High
Critical
9.3
CVSS Score
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
C
Confidentiality
H
Integrity
L
Availability
N
References & Resources
-
https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3security-advisories@github.com
-
https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536security-advisories@github.com
-
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mcsecurity-advisories@github.com
-
https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7jsecurity-advisories@github.com
Severity Details
9.3
out of 10.0
Critical
Weakness Type (CWE)
CWE-78
Top 25 #13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Description
- The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a…
- Exploit Likelihood
- High
- Typical Severity
- High
- OWASP Top 10
- A03:2021-Injection
- Abstraction Level
- Base
Key Information
- Published Date
- April 22, 2026
