CVE-2026-41064
Published: 22 April 2026
Summary
CVE-2026-41064 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements input validation at the test.php entry point to properly sanitize URLs and block malicious strings like 'httpevil[.]com', preventing command injection via unsanitized file_get_contents and curl paths.
Requires timely flaw remediation by applying the vendor patch (commit 78bccae74634ead68aa6528d631c9ec4fd7aa536) that fixes sanitization in all code paths and strengthens URL regex validation.
Enforces least functionality by prohibiting or restricting unnecessary public test endpoints like test.php, eliminating exposure to unauthenticated command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing PHP app (test.php) directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access; unsanitized paths allow arbitrary OS command execution via Unix shell (T1059.004).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/`…
more
accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
Deeper analysisAI
WWBN AVideo, an open source video platform, is affected by CVE-2026-41064, a command injection vulnerability (CWE-78) in versions up to and including 29.0. The issue stems from an incomplete fix in the `test.php` file, where `escapeshellarg` was added only for the wget code path, leaving the `file_get_contents` and `curl` paths unsanitized. Additionally, the URL validation regex `/^http/` is insufficient, permitting malicious strings like `httpevil[.]com`.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). By supplying a crafted URL to `test.php`, attackers can achieve command injection through the unsanitized paths, resulting in high confidentiality impact via data exfiltration and low integrity impact.
GitHub security advisories (GHSA-3fpm-8rjr-v5mc and GHSA-pq8p-wc4f-vg7j) and commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 detail the updated fix, which addresses the remaining code paths and strengthens URL validation. An earlier commit, 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3, introduced the partial mitigation. Security practitioners should update to a version incorporating the full patch.
Details
- CWE(s)