CVE-2026-29058
Published: 06 March 2026
Summary
CVE-2026-29058 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo-Encoder. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of untrusted inputs like the base64Url GET parameter to block shell metacharacters.
Mitigates the vulnerability through timely flaw remediation by patching to AVideo version 7.0 where the issue is fixed.
Enables real-time monitoring to detect indicators of command injection exploitation such as anomalous OS command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated RCE via command injection in public-facing web application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).
NVD Description
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration…
more
(e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
Deeper analysisAI
CVE-2026-29058 is a critical command injection vulnerability (CWE-78) affecting AVideo, an open-source video-sharing platform software. Prior to version 7.0, the vulnerability enables unauthenticated attackers to execute arbitrary operating system commands on the server by injecting shell command substitution into the base64Url GET parameter. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility and no privileges required.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, without user interaction. Successful exploitation allows arbitrary OS command execution, potentially resulting in full server compromise, data exfiltration such as configuration secrets, internal keys, and credentials, as well as service disruption through denial-of-service actions.
The GitHub security advisory (GHSA-9j26-99jh-v26q) confirms the vulnerability has been addressed in AVideo version 7.0, recommending immediate upgrades to mitigate the risk. No workarounds are specified in available details.
Details
- CWE(s)