CVE-2026-33648
Published: 23 March 2026
Summary
CVE-2026-33648 is a high-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-controlled users_id and liveTransmitionHistory_id inputs to block shell metacharacters before concatenation into log file paths for exec() commands.
Directly mitigates the vulnerability by requiring timely application of the vendor patch (commit 99b865413172045fef6a98b5e9bfc7b24da11678) that sanitizes the inputs.
Limits damage from successful command injection by enforcing least privilege on the web application process executing the injected commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing web endpoint (restreamer) enables T1190 for initial access and direct arbitrary Unix shell command execution via unsanitized input to exec().
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log…
more
file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
Deeper analysisAI
CVE-2026-33648 is a command injection vulnerability (CWE-78) in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0, specifically in the restreamer endpoint. The endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without sanitization. This path is then concatenated directly into shell commands passed to `exec()`, enabling injection of shell metacharacters such as `$()` or backticks.
An authenticated user (PR:L) with network access (AV:N) can exploit the vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows arbitrary command execution on the server, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 8.8 (S:U).
Mitigation is provided in GitHub commit 99b865413172045fef6a98b5e9bfc7b24da11678, which patches the issue. Additional details are available in the GitHub security advisory GHSA-5m4q-5cvx-36mw.
Details
- CWE(s)