CVE-2026-41304
Published: 22 April 2026
Summary
CVE-2026-41304 is a high-severity Command Injection (CWE-77) vulnerability in Wwbn Avideo. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
WWBN AVideo is an open source video platform that contains a command injection vulnerability in versions 29.0 and below. The flaw resides in the cloneServer.json.php endpoint of the CloneSite plugin, which constructs shell commands by directly concatenating unsanitized user input from the url parameter into a wget command executed via exec(). This allows an attacker to break out of the intended URL context using shell metacharacters such as semicolons, resulting in arbitrary command execution on the server. The issue is tracked under CWE-77 and carries a CVSS 4.0 score of 8.9.
Unauthenticated remote attackers can exploit the endpoint over the network without authentication or user interaction to achieve full remote code execution, gaining the ability to run arbitrary shell commands on the affected server.
The vulnerability is fixed in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb, with details published in the associated GitHub security advisory GHSA-xr6f-h4x7-r6qp.
The EPSS score reached a peak of 0.0131 from a current value of 0.0065, indicating limited but observable post-disclosure interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24578
Vulnerability details
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command…
more
executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in a public-facing web endpoint enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the untrusted 'url' parameter before it is concatenated into a shell command executed via exec().
Mandates prompt application of the vendor fix (commit 473c609) that eliminates the unsanitized command construction in cloneServer.json.php.
Restricts availability of dangerous functions such as exec() and external utilities like wget that the vulnerable endpoint relies on.