Lucene search
K

1564 matches found

NVD
NVD
added 2026/04/22 12:16 a.m.11 views

CVE-2026-41304

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

9.8CVSS0.02221EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/21 11:7 p.m.11 views

EUVD-2026-24578

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

9.3CVSS6AI score0.02221EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/21 11:7 p.m.6 views

CVE-2026-41304

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

9.3CVSS6AI score0.02221EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/21 11:7 p.m.4 views

CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

9.3CVSS6AI score0.02221EPSS
Exploits1References2
CVE
CVE
added 2026/04/21 11:7 p.m.29 views

CVE-2026-41304

CVE-2026-41304 affects WWBN AVideo (versions 29.0 and earlier) via the CloneSite plugin’s cloneServer.json.php. The endpoint builds a shell command by directly concatenating user-supplied input from the url parameter into a wget command and executes it with exec(), enabling command injection. Thi...

9.8CVSS6AI score0.02221EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/21 11:4 p.m.6 views

EUVD-2026-24561

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

9.3CVSS5.7AI score0.00335EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/21 11:4 p.m.6 views

CVE-2026-41064

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

9.3CVSS5.7AI score0.00335EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/04/21 11:4 p.m.47 views

CVE-2026-41064 AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

9.3CVSS0.00335EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.16 views

PT-2026-34227

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The CloneSite plugin contains a flaw where the 'cloneServer.json.php' endpoint constructs shell commands using the url parameter without proper sanitization. This input is directly concatenated...

9.8CVSS6.1AI score0.02221EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.10 views

PT-2026-34216

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1 Description An incomplete fix in the 'test.php' file allows for unsanitized input. While the wget path was secured using escapeshellarg, the file get contents and curl code paths remain unsanitized. Additionally,...

9.3CVSS5.3AI score0.00335EPSS
Exploits1References9
OSV
OSV
added 2026/04/16 9:25 p.m.9 views

GHSA-XR6F-H4X7-R6QP WWBN AVideo: RCE cause by clonesite plugin

Description Summary The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via exec, allowing command injection. An attacker can inje...

9.8CVSS6.2AI score0.02221EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/16 9:25 p.m.10 views

WWBN AVideo: RCE cause by clonesite plugin

Description Summary The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via exec, allowing command injection. An attacker can inje...

9.8CVSS6.2AI score0.02221EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/15 8:29 p.m.8 views

JLSEC-2026-118

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007...

6.1CVSS5.8AI score0.01104EPSS
Exploits0References4
OSV
OSV
added 2026/04/15 8:29 p.m.10 views

JLSEC-2026-120

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent...

9.1CVSS6.7AI score0.00672EPSS
Exploits0References6
Snyk
Snyk
added 2026/04/14 11:27 p.m.7 views

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via unsanitized input to the wget function. An attacker can execute arbitrary system commands by supplying crafted input containing shell...

9.3CVSS6AI score0.00335EPSS
Exploits1References2
OSV
OSV
added 2026/04/14 11:27 p.m.5 views

GHSA-PQ8P-WC4F-VG7J WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

9.3CVSS6.7AI score0.00442EPSS
Exploits2References7
Github Security Blog
Github Security Blog
added 2026/04/14 11:27 p.m.11 views

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

9.3CVSS6.7AI score0.00442EPSS
Exploits2References7Affected Software1
OSV
OSV
added 2026/04/11 2:5 p.m.6 views

OESA-2026-1881 busybox security update

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system. Security Fixes: BusyBox...

6.5CVSS5.8AI score0.00285EPSS
Exploits1References2
OSV
OSV
added 2026/04/08 9:0 a.m.2 views

ROOT-OS-DEBIAN-13-CVE-2021-31879 CVE-2021-31879 in rootio-wget - Patched by Root

Root has patched CVE-2021-31879 in the rootio-wget package for Root:Debian:13. Multiple fixed versions available...

6.1CVSS6.8AI score0.01104EPSS
Exploits0
OSV
OSV
added 2026/04/04 6:17 a.m.5 views

GHSA-99J6-HJ87-6FCF AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php

Summary The plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin. The log contains internal filesystem paths, remote server URLs, and SSH connection metadata. Details...

5.3CVSS5.9AI score0.00367EPSS
Exploits1References3
Rows per page
Query Builder