CVE-2026-55173 AVideo incomplete fix for CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single & the shell background operator. CVE-2026-33482 reported that sanitizeFFmpegCommand...