PatchSiren cyber security CVE debrief
CVE-2026-45578 WWBN CVE debrief
WWBN AVideo versions 29.0 and earlier contain a shell command injection vulnerability in the live streaming notification subsystem. The plugin/Live/on_publish.php file constructs an asynchronous shell command via execAsync() by concatenating user-controlled values into a single-quoted string without applying escapeshellarg() sanitization. An attacker who can influence the $users_id, $m3u8, or $obj->liveTransmitionHistory_id parameters can inject a single quote to break out of the quoted context and append arbitrary shell commands. This yields remote code execution under the privileges of the web server process. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network attackability, low complexity, and high impact across confidentiality, integrity, and availability. The weakness is classified as CWE-78 (OS Command Injection). The vulnerability was disclosed via GitHub Security Advisory and is undergoing analysis in the NVD as of the May 29, 2026 publication date.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running WWBN AVideo 29.0 or earlier with the Live streaming plugin enabled; security teams monitoring for command injection in PHP applications; incident responders investigating suspicious web server process activity
Technical summary
The vulnerability exists in plugin/Live/on_publish.php where execAsync() builds a shell command by wrapping $users_id, $m3u8, and $obj->liveTransmitionHistory_id in single quotes without escapeshellarg() or equivalent sanitization. A single quote character in any of these three values terminates the quoted string and allows shell metacharacter injection, leading to arbitrary command execution.
Defensive priority
critical
Recommended defensive actions
- Upgrade WWBN AVideo to a version newer than 29.0 that addresses GHSA-xw67-cg5f-4m2r
- If immediate patching is not feasible, disable the Live streaming plugin or restrict access to on_publish.php endpoints
- Review web server logs for suspicious command patterns in Live plugin invocations
- Apply principle of least privilege to the web server process to limit impact of command injection
- Monitor for unauthorized process spawning from the web server user context
Evidence notes
Vulnerability description sourced from NVD record and GitHub Security Advisory GHSA-xw67-cg5f-4m2r. CVSS 8.8 HIGH severity confirmed via NVD CVSS vector. CWE-78 classification from advisory source. Affected versions explicitly stated as 29.0 and earlier.
Official resources
-
CVE-2026-45578 CVE record
CVE.org
-
CVE-2026-45578 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29