CVE-2026-33478
Published: 23 March 2026
Summary
CVE-2026-33478 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the chain of vulnerabilities in the CloneSite plugin by applying the patch in commit c85d076375fab095a14170df7ddb27058134d38c.
Information input validation prevents the OS command injection (CWE-78) in the rsync command construction within cloneClient.json.php.
Access enforcement mechanisms would block unauthenticated access to sensitive endpoints like clones.json.php and cloneServer.json.php, breaking the initial exploitation chain (CWE-284).
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for unauthenticated exploitation of public-facing web application; T1059.004 for OS command injection via rsync; T1552.001 for extracting unsecured credentials from database dump.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret…
more
keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Deeper analysisAI
CVE-2026-33478 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability involves a chain of issues in the CloneSite plugin, including improper access control and OS command injection (CWE-284 and CWE-78), enabling remote code execution. Specifically, the clones.json.php endpoint exposes clone secret keys without authentication, cloneServer.json.php allows database dumps using those keys, and cloneClient.json.php suffers from command injection in rsync command construction. The issue has a CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.
A completely unauthenticated attacker over the network can exploit this chain to achieve full remote code execution on the server. The process begins with retrieving secret keys from clones.json.php, using them to dump the database via cloneServer.json.php—which includes trivially crackable MD5 admin password hashes—gaining administrative access, and then injecting arbitrary OS commands through the rsync functionality in cloneClient.json.php.
The patch is available in commit c85d076375fab095a14170df7ddb27058134d38c on the AVideo GitHub repository. Additional details are provided in the GitHub Security Advisory GHSA-687q-32c6-8x68.
Details
- CWE(s)