CVE-2026-33482 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

CVE-2026-33482 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

CVE-2026-33482

CVE-2026-33482 affects WWBN AVideo prior to 26.1 (up to 26.0) where sanitizeFFmpegCommand() fails to remove $() (bash command substitution). Since the sanitized ffmpeg command is executed in a double-quoted sh -c context, an attacker able to supply a crafted encrypted payload can achieve arbitrar...

CVE-2026-33482

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

CVE-2026-33354

CVE-2026-33354 affects WWBN AVideo up to version 26.0, where POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile path. The local path check (isValidURLOrPath) allows broad server directories (e.g., /var/www/, app root, cache, tmp, videos) while rejecting only .php files....

📄 AVideo Command Injection

The Metasploit exploit module targets a command injection vulnerability in AVideo. This module exploits a base64-encoded command injection flaw in AVideo Encoder's image processing endpoint, turning a simple URL parameter into remote code execution with multiple payload strategies. Versions prior...

[SECURITY] Fedora 42 Update: python-ujson-5.12.0-1.fc42

UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python...

[SECURITY] Fedora 43 Update: python-ujson-5.12.0-1.fc43

UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python...

[SECURITY] Fedora 44 Update: python-ujson-5.12.0-1.fc44

UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python...

GHSA-VV7W-QF5C-734W AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Summary The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rat...

AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Summary The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rat...

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via the sanitizeFFmpegCommand function. An attacker can execute arbitrary commands on the standalone encoder server by injecting shell command...

AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()

Summary The sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails to strip $ bash command substitution syntax. Since the sanitized command is...

Metasploit Wrap-Up 03/20/2026

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫ This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and anothe...

CLSA-2026-1774027481 Fix CVE(s): CVE-2026-30883

SECURITY UPDATE: heap overflow in PNG encoder from large profile - debian/patches/CVE-2026-30883.patch: add overflow check in Magickpngwriterawprofile to reject profiles with length that would overflow allocatedlength arithmetic - CVE-2026-30883...

Security update for GraphicsMagick

This update for GraphicsMagick fixes the following issues: CVE-2026-28691: missing check in the JBIG decoder can lead to an uninitialized pointer dereference bsc1259455. CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write bsc1259467. Patch...

CLSA-2026-1774002757 Fix CVE(s): CVE-2026-25898

SECURITY UPDATE: global buffer overflow read in UIL and XPM encoders. - debian/patches/CVE-2026-25898.patch: clamp negative pixel index values to zero in WriteUILImage, WritePICONImage, and WriteXPMImage before using them as array subscripts into the Cixel table. - CVE-2026-25898...

CLSA-2026-1773999754 Fix CVE(s): CVE-2026-25898

SECURITY UPDATE: global buffer overflow read via negative pixel index in UIL and XPM image encoders - debian/patches/CVE-2026-25898.patch: clamp negative pixel index values to zero in WriteUILImage, WritePICONImage, and WriteXPMImage before using them as array subscripts into the Cixel table. -...

OPENSUSE-SU-2026:20405-1 Security update for ImageMagick

This update for ImageMagick fixes the following issues: - CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion bsc1258790. - CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write bsc1259446. - CVE-2026-28494: missing bounds chec...

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...