WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin…

WWBN AVideo open source video platform versions 29.0 and earlier contain a critical shell-metacharacter injection vulnerability. The vulnerability exists in the YPTSocket notification branch within plugin/Live/on_publish.php file. The flaw occurs when building execAsync() command lines through string concatenation with single-quoting but without proper escapeshellarg() sanitization. Attackers can exploit this by injecting a single quote character in three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) to close quoted tokens and execute arbitrary commands. This represents a classic command injection attack vector that allows full system compromise.