CVE-2026-63305
The CVE-2026-63305 entry concerns AVideo up to version 29.0, where the ffmpeg.json.php endpoint concatenates notifyCode and callback into a shell command without escaping. This allows an attacker who can craft an encrypted payload to inject shell metacharacters and execute OS commands as the web-...