PatchSiren cyber security CVE debrief
CVE-2026-55173 WWBN CVE debrief
AVideo, an open-source video platform, is vulnerable to OS command injection in versions 29.0 and below. The issue arises from an incomplete fix for CVE-2026-33482, which failed to neutralize the shell background operator (&). This allows attackers to execute arbitrary OS commands on the standalone encoder server by crafting a valid encrypted payload. The vulnerability has a CVSS score of 8.1 and is considered high severity.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of AVideo versions 29.0 and below should be aware of this vulnerability and take immediate action to patch their systems. This vulnerability can be exploited by attackers to gain unauthorized access and execute malicious commands on the server.
Technical summary
The vulnerability is caused by the incomplete fix for CVE-2026-33482 in the sanitizeFFmpegCommand() function (plugin/API/standAlone/functions.php). The fix added certain characters to the denylist, but did not account for the single &. The ffmpeg.json.php file builds the command from _decryptString(getInput('codeToExecEncrypted')), which can be exploited by attackers to execute arbitrary OS commands. Multiple &-separated commands can be chained, allowing for various malicious activities such as downloading and executing files.
Defensive priority
High priority should be given to patching AVideo installations, as this vulnerability can be exploited to gain unauthorized access and execute malicious commands on the server.
Recommended defensive actions
- Apply the patch from https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f
- Upgrade to a version of AVideo greater than 29.0
- Review and restrict access to the standalone encoder server
- Monitor for suspicious activity and implement additional security measures
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record was published on 2026-07-16T21:17:21.483Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability has a CVSS score of 8.1 and is considered high severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:21.483Z and has not been modified since then. The NVD entry is currently in the 'Received' status.