top of page
perceptive_background_267k.jpg

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 22:11:22

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

WWBN AVideo, an open source video platform, contains a vulnerability in versions up to 29.0 where an incomplete fix for test.php adds escapeshellarg for wget but leaves file_get_contents and curl code paths unsanitized. The URL validation regex /^http/ accepts malicious strings like httpevil.com, allowing potential exploitation. This represents an incomplete security fix that leaves multiple attack vectors open for exploitation through unsanitized input handling.

Technical details

Mitigation steps:

Affected products:

WWBN AVideo

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41064
https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page