Cyber Resilience

CVE-2026-29058

CriticalRCE

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0213 79.6th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-29058 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo-Encoder. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29058 is a critical command injection vulnerability (CWE-78) affecting AVideo, an open-source video-sharing platform software. Prior to version 7.0, the vulnerability enables unauthenticated attackers to execute arbitrary operating system commands on the server by injecting shell command substitution into the base64Url GET parameter. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility and no privileges required.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, without user interaction. Successful exploitation allows arbitrary OS command execution, potentially resulting in full server compromise, data exfiltration such as configuration secrets, internal keys, and credentials, as well as service disruption through denial-of-service actions.

The GitHub security advisory (GHSA-9j26-99jh-v26q) confirms the vulnerability has been addressed in AVideo version 7.0, recommending immediate upgrades to mitigate the risk. No workarounds are specified in available details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration…

more

(e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated RCE via command injection in public-facing web application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33025Same product: Wwbn Avideo-Encoder
CVE-2026-33024Same product: Wwbn Avideo-Encoder
CVE-2026-33319Same vendor: Wwbn
CVE-2026-41064Same vendor: Wwbn
CVE-2026-33648Same vendor: Wwbn
CVE-2026-33482Same vendor: Wwbn
CVE-2026-33478Same vendor: Wwbn
CVE-2026-41304Same vendor: Wwbn
CVE-2018-25115Shared CWE-78
CVE-2026-33292Same vendor: Wwbn

Affected Assets

wwbn
avideo-encoder
≤ 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of untrusted inputs like the base64Url GET parameter to block shell metacharacters.

prevent

Mitigates the vulnerability through timely flaw remediation by patching to AVideo version 7.0 where the issue is fixed.

detect

Enables real-time monitoring to detect indicators of command injection exploitation such as anomalous OS command execution.

References