CVE-2026-33482 Overview
WWBN AVideo is an open source video platform that contains a command injection vulnerability in its standalone encoder component. In versions up to and including 26.0, the sanitizeFFmpegCommand() function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (&&, ;, |, `, <, >). However, the function fails to strip $() (bash command substitution syntax). Since the sanitized command is executed inside a double-quoted sh -c context in execAsync(), an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server.
Critical Impact
This vulnerability enables remote attackers to execute arbitrary system commands on standalone encoder servers running WWBN AVideo, potentially leading to full server compromise, data exfiltration, or lateral movement within the network.
Affected Products
- WWBN AVideo versions up to and including 26.0
- Standalone encoder servers running vulnerable AVideo installations
- Self-hosted AVideo platforms with the API plugin enabled
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33482 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33482
Vulnerability Analysis
This command injection vulnerability exists due to incomplete input sanitization in the sanitizeFFmpegCommand() function. The function was implemented as a security control to prevent malicious shell commands from being injected into ffmpeg command strings. While it correctly filters common shell metacharacters like semicolons, pipes, and backticks, it fails to account for bash's $() command substitution syntax.
When the sanitized command is passed to execAsync(), it is executed within a double-quoted sh -c context. In bash, double quotes allow variable expansion and command substitution using $(), meaning an attacker's payload embedded within these constructs will be evaluated and executed by the shell. This oversight creates a reliable command injection vector that bypasses the existing security controls.
Root Cause
The root cause is the incomplete implementation of shell metacharacter filtering in the sanitizeFFmpegCommand() function. The original regular expression pattern /[;|<>]/only removes a subset of dangerous characters while leaving$, (, ), {, }, and newline characters unfiltered. These omitted characters are sufficient to construct bash command substitution sequences ($()or${}`) that execute arbitrary commands when the string is processed by the shell.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious encrypted payload that, when decrypted and processed by the standalone encoder, contains $() command substitution sequences. Since the encoder server processes these commands in a network-accessible context, exploitation can be performed remotely without authentication if the attacker can interact with the API endpoint. The injected commands execute with the privileges of the web server process, potentially granting access to sensitive system resources.
The security patch addresses this vulnerability by expanding the character filter to remove additional dangerous characters:
//$command = str_replace('rtmp://live/', 'rtmp://vlu.me/', $command);
//$command = str_replace('https://live:8443/', 'https://vlu.me:8443/', $command);
$command = preg_replace('/\s*&?>.*(?:2>&1)?/', '', $command);
- $command = preg_replace('/[;|`<>]/', '', $command);
+ // Security: also strip $, (, ), { } to prevent bash command substitution $(...) / ${...}
+ // and newlines which can start a new shell command, in addition to the original metacharacters.
+ $command = preg_replace('/[;|`<>$()\n\r{}]/', '', $command);
// Ensure it starts with an allowed prefix
foreach ($allowedPrefixes as $prefix) {
Source: GitHub Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1
Detection Methods for CVE-2026-33482
Indicators of Compromise
- Unusual process executions spawned by the web server process (e.g., www-data or apache)
- HTTP requests to the standalone encoder API containing $(, ), ${, or } sequences in parameters
- Unexpected network connections originating from the AVideo server to external hosts
- Log entries in web server or application logs containing command substitution patterns
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing bash command substitution patterns ($(, ${) targeting API endpoints
- Implement application-layer inspection rules to detect encoded or obfuscated command injection attempts
- Analyze process creation events on the encoder server for shell executions with suspicious command-line arguments
- Review AVideo application logs for failed or unusual ffmpeg command executions
Monitoring Recommendations
- Enable verbose logging for the AVideo API plugin to capture all incoming requests to the standalone encoder
- Configure endpoint detection and response (EDR) solutions to alert on command execution chains originating from web server processes
- Implement network segmentation monitoring to detect lateral movement attempts from compromised encoder servers
- Set up file integrity monitoring on critical AVideo PHP files to detect unauthorized modifications
How to Mitigate CVE-2026-33482
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 or later
- If immediate patching is not possible, restrict network access to standalone encoder servers using firewall rules
- Review access logs for signs of exploitation attempts and investigate any suspicious activity
- Consider temporarily disabling the standalone encoder functionality until patching is complete
Patch Information
WWBN has released a security fix in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. This patch enhances the sanitizeFFmpegCommand() function by adding $, (, ), {, }, and newline characters to the filter pattern, effectively preventing bash command substitution attacks. Users should update their AVideo installations by pulling the latest changes from the official repository. Additional details are available in the GitHub Security Advisory GHSA-pmj8-r2j7-xg6c.
Workarounds
- Implement a web application firewall (WAF) rule to block requests containing $(, ${, ), or } characters in API parameters
- Restrict access to the standalone encoder API to trusted IP addresses only using network-level access controls
- Run the AVideo application in a containerized or sandboxed environment to limit the impact of potential command execution
# Example: Restrict access to encoder API using iptables
iptables -A INPUT -p tcp --dport 443 -s <TRUSTED_IP_RANGE> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
