CVE-2026-41304
Published: 22 April 2026
Summary
CVE-2026-41304 is a critical-severity Command Injection (CWE-77) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the user-controlled 'url' parameter to block shell metacharacters and prevent command injection in the wget exec() call.
Mandates timely identification and patching of the specific command injection flaw in cloneServer.json.php as fixed in commit 473c609.
Enforces least functionality by disabling or restricting the non-essential CloneSite plugin and its vulnerable endpoint to eliminate the attack vector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in a public-facing web endpoint enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands (T1059.004).
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command…
more
executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Deeper analysisAI
CVE-2026-41304 is a command injection vulnerability in the WWBN AVideo open source video platform, affecting versions 29.0 and below. The issue resides in the `cloneServer.json.php` endpoint of the CloneSite plugin, where user-controlled input from the `url` parameter is unsanitized and directly concatenated into a `wget` command executed via PHP's `exec()` function. This allows attackers to inject arbitrary shell commands by escaping the URL context with shell metacharacters such as `;`, resulting in remote code execution (RCE) on the server. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection).
The attack requires no authentication (PR:N) and can be exploited remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). An unauthenticated attacker simply needs to send a malicious HTTP request to the vulnerable endpoint with a crafted `url` parameter, such as one appending shell commands after a semicolon, causing the server to execute arbitrary code alongside the intended `wget` download. Successful exploitation grants full RCE, enabling attackers to achieve high confidentiality, integrity, and availability impacts, such as data exfiltration, persistence, or server compromise.
Mitigation is available via a patch in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb, which addresses the unsanitized input handling. The GitHub security advisory GHSA-xr6f-h4x7-r6qp provides further details on the issue and remediation steps for AVideo users. Security practitioners should urge administrators to update to a patched version beyond 29.0 and review access to the CloneSite plugin endpoint.
Details
- CWE(s)