CVE-2026-41304
HIGHWWBN AVideo vulnerable to RCE caused by clonesite plugin
Title source: cnaDescription
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp
X_Refsource_Misc x_refsource_misc
https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb
Scores
CVSS v4
8.9
EPSS
0.0222
EPSS Percentile
80.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (2)
wwbn/avideo
0Packagist
WWBN/AVideo
<= 29.0
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026