CVE-2026-33648 Overview
CVE-2026-33648 is a command injection vulnerability affecting WWBN AVideo, an open source video platform. The vulnerability exists in the restreamer endpoint, which constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated attacker to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks.
Critical Impact
Authenticated attackers can execute arbitrary commands on the server, potentially leading to complete system compromise, data theft, lateral movement, and persistent access to the hosting infrastructure.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All AVideo installations using the vulnerable restreamer endpoint
- Self-hosted AVideo deployments without the security patch applied
Discovery Timeline
- 2026-03-23 - CVE-2026-33648 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33648
Vulnerability Analysis
This command injection vulnerability (CWE-78) stems from improper handling of user-supplied input in the restreamer functionality of WWBN AVideo. The application accepts JSON request body parameters users_id and liveTransmitionHistory_id and uses them to construct file paths for logging purposes. These values are embedded directly into shell commands executed via PHP's exec() function without proper sanitization or validation.
An authenticated user can inject shell metacharacters into these parameters to break out of the intended command context and execute arbitrary system commands. The network-accessible nature of this vulnerability combined with the low complexity of exploitation makes it particularly dangerous for internet-facing AVideo installations.
Root Cause
The root cause is the lack of input sanitization when handling user-controlled values that are subsequently used in shell command construction. The users_id and liveTransmitionHistory_id parameters from JSON request bodies are concatenated directly into file path strings that become part of shell commands, creating a classic command injection vector. The application failed to validate that these values contain only expected characters (alphanumeric and safe punctuation) before using them in security-sensitive operations.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access to the AVideo platform. An attacker with valid credentials can craft a malicious JSON request to the restreamer endpoint containing shell metacharacters in the users_id or liveTransmitionHistory_id fields. When the server processes this request, the malicious payload is executed with the privileges of the web server process.
The following code shows the security patch that addresses this vulnerability by implementing a sanitizeLogFileComponent function:
return substr($word, -1) === '/';
}
+function sanitizeLogFileComponent($value, $default = '0')
+{
+ if (is_array($value) || is_object($value)) {
+ return $default;
+ }
+
+ $value = preg_replace('/[^a-z0-9_.-]/i', '', (string) $value);
+
+ if ($value === '') {
+ return $default;
+ }
+
+ return $value;
+}
+
function _getLiveKey($token)
{
global $streamerURL, $isATest;
Source: GitHub Commit Changes
The patch introduces a sanitization function that strips all characters except alphanumeric characters, underscores, periods, and hyphens, effectively preventing shell metacharacter injection.
Detection Methods for CVE-2026-33648
Indicators of Compromise
- Unusual characters in users_id or liveTransmitionHistory_id parameters within web server logs, particularly $(), backticks, semicolons, or pipe characters
- Unexpected child processes spawned by the PHP/web server process
- Suspicious network connections originating from the web server
- New files created in unexpected locations with web server ownership
- Modified system configurations or new user accounts
Detection Strategies
- Monitor HTTP request logs for the restreamer endpoint with JSON bodies containing shell metacharacters in ID fields
- Implement web application firewall rules to detect command injection patterns in POST request bodies
- Deploy endpoint detection and response (EDR) solutions to identify anomalous process execution chains from web server processes
- Configure intrusion detection systems to alert on known command injection payloads
Monitoring Recommendations
- Enable verbose logging for the AVideo application and restreamer endpoint specifically
- Set up real-time alerting for any exec(), system(), or shell_exec() calls with unexpected parameters
- Monitor for outbound network connections from the web server to unusual destinations
- Implement file integrity monitoring on critical system directories
How to Mitigate CVE-2026-33648
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 99b865413172045fef6a98b5e9bfc7b24da11678 or later
- Review web server logs for evidence of exploitation attempts
- Restrict network access to the restreamer endpoint to trusted IP addresses if possible
- Implement web application firewall rules to block requests with shell metacharacters in JSON body parameters
Patch Information
WWBN has released a security patch in commit 99b865413172045fef6a98b5e9bfc7b24da11678. The patch adds a sanitizeLogFileComponent() function that sanitizes user input by removing all characters except alphanumeric characters, underscores, periods, and hyphens. Organizations should update their AVideo installations immediately by pulling the latest code from the official repository. For detailed information, refer to the GitHub Security Advisory GHSA-5m4q-5cvx-36mw.
Workarounds
- Place the AVideo installation behind a reverse proxy with strict input validation rules for the restreamer endpoint
- Disable the restreamer functionality if not required for business operations
- Implement network segmentation to limit the impact of potential compromise
- Use application-level firewalls to filter requests containing command injection payloads
# Example: Nginx configuration to block suspicious characters in request bodies
location /plugin/Live/standAloneFiles/restreamer.json.php {
# Block requests containing shell metacharacters
if ($request_body ~* "(\$\(|\`|;|\||&|>|<)") {
return 403;
}
# Restrict access to authenticated users from trusted networks
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
