CVE-2026-33319
Published: 22 March 2026
Summary
CVE-2026-33319 is a medium-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs from external APIs like LinkedIn prior to use in shell command construction, directly preventing command injection via unsanitized URLs.
Mandates timely remediation of identified flaws such as CVE-2026-33319 by applying the patch in AVideo version 26.0 that adds escapeshellarg() sanitization.
Protects the integrity of external API responses during transmission, mitigating man-in-the-middle interception that could inject malicious URLs for command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing web app (AV:N) directly enables T1190 and Unix shell command execution (T1059.004) via unsanitized shell interpolation.
NVD Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an…
more
attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.
Deeper analysisAI
CVE-2026-33319 is a command injection vulnerability (CWE-78) affecting WWBN AVideo, an open source video platform, in versions prior to 26.0. The issue resides in the `uploadVideoToLinkedIn()` method of the SocialMediaPublisher plugin, which constructs a shell command by directly interpolating an upload URL from LinkedIn's API response without sanitization using `escapeshellarg()`. This was publicly disclosed on 2026-03-22 and carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).
Exploitation requires an attacker to influence the LinkedIn API response, such as through man-in-the-middle interception, a compromised OAuth token, or compromise of LinkedIn's API itself. A privileged attacker (PR:H) with network access (AV:N) must overcome high attack complexity (AC:H) to inject arbitrary operating system commands, which execute with the privileges of the web server user. Successful exploitation enables high confidentiality and integrity impacts, such as data access or modification, but no availability disruption.
The GitHub security advisory (GHSA-w5ff-2mjc-4phc) and fixing commit (67d932eb05e1bc9b36796f73ff4f9fb47590598b) confirm that upgrading to AVideo version 26.0 resolves the vulnerability by addressing the unsanitized interpolation in the shell command construction.
Details
- CWE(s)