PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55173 WWBN CVE debrief

AVideo, an open-source video platform, is vulnerable to OS command injection in versions 29.0 and below. The issue arises from an incomplete fix for CVE-2026-33482, which failed to neutralize the shell background operator (&). This allows attackers to execute arbitrary OS commands on the standalone encoder server by crafting a valid encrypted payload. The vulnerability has a CVSS score of 8.1 and is considered high severity.

Vendor
WWBN
Product
AVideo
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of AVideo versions 29.0 and below should be aware of this vulnerability and take immediate action to patch their systems. This vulnerability can be exploited by attackers to gain unauthorized access and execute malicious commands on the server.

Technical summary

The vulnerability is caused by the incomplete fix for CVE-2026-33482 in the sanitizeFFmpegCommand() function (plugin/API/standAlone/functions.php). The fix added certain characters to the denylist, but did not account for the single &. The ffmpeg.json.php file builds the command from _decryptString(getInput('codeToExecEncrypted')), which can be exploited by attackers to execute arbitrary OS commands. Multiple &-separated commands can be chained, allowing for various malicious activities such as downloading and executing files.

Defensive priority

High priority should be given to patching AVideo installations, as this vulnerability can be exploited to gain unauthorized access and execute malicious commands on the server.

Recommended defensive actions

  • Apply the patch from https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f
  • Upgrade to a version of AVideo greater than 29.0
  • Review and restrict access to the standalone encoder server
  • Monitor for suspicious activity and implement additional security measures
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-16T21:17:21.483Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability has a CVSS score of 8.1 and is considered high severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:21.483Z and has not been modified since then. The NVD entry is currently in the 'Received' status.