CVE-2026-33482
Published: 23 March 2026
Summary
CVE-2026-33482 is a high-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the incomplete sanitization of $() in sanitizeFFmpegCommand(), directly mitigated by applying the available patch.
Mandates information input validation at entry points, preventing OS command injection by ensuring crafted payloads with bash $() substitution are rejected or sanitized before reaching execAsync().
Requires vulnerability scanning that identifies OS command injection flaws like CVE-2026-33482, enabling proactive remediation before exploitation on the standalone encoder server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via command injection in public-facing web app (T1190) using unsanitized $() in sh -c context (T1059.004 Unix Shell).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` `…
more
``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch.
Deeper analysisAI
CVE-2026-33482 is an OS command injection vulnerability (CWE-78) in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0, specifically the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php`. This function strips certain shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`) to prevent command injection in FFmpeg commands but fails to remove `$()` bash command substitution syntax.
An unauthenticated remote attacker (PR:N) with network access can exploit this by crafting a valid encrypted payload, as indicated by the CVSS v3.1 score of 8.1 (AV:N/AC:H/UI:N/S:U/C:H/I:H/A:H). The payload bypasses sanitization because the command is executed in a double-quoted `sh -c` context via `execAsync()`, enabling arbitrary command execution on the standalone encoder server.
The vulnerability is patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Further details on the issue and remediation are available in the GitHub security advisory at GHSA-pmj8-r2j7-xg6c.
Details
- CWE(s)