CVE-2026-45578 Overview
CVE-2026-45578 is a command injection vulnerability in WWBN AVideo, an open source video platform. The flaw resides in the YPTSocket notification branch of plugin/Live/on_publish.php. The code builds an execAsync() command line through string concatenation, single-quoting each argument without calling escapeshellarg(). An authenticated attacker who controls $users_id, $m3u8, or $obj->liveTransmitionHistory_id can inject a single quote to break out of the quoted token and append arbitrary shell commands. The vulnerability affects AVideo versions 29.0 and earlier and is classified under [CWE-78] OS Command Injection.
Critical Impact
Successful exploitation grants arbitrary OS command execution under the web server account, leading to full compromise of the AVideo host.
Affected Products
- WWBN AVideo 29.0
- WWBN AVideo versions prior to 29.0
- Deployments using the Live plugin (plugin/Live/on_publish.php)
Discovery Timeline
- 2026-05-29 - CVE-2026-45578 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45578
Vulnerability Analysis
The vulnerability exists in the YPTSocket notification path of the Live plugin. When a live stream publish event triggers, AVideo constructs an asynchronous shell command using PHP string concatenation. Each interpolated value is wrapped in single quotes, but the code never invokes escapeshellarg() or any equivalent escaping routine. Three user-influenced inputs flow into this command line: $users_id, $m3u8, and $obj->liveTransmitionHistory_id. An attacker who supplies a single quote character in any of these values terminates the quoted token early, allowing injection of arbitrary shell metacharacters. The injected payload executes with the privileges of the PHP runtime, typically the web server user. Because the command runs through execAsync(), attackers can chain commands using ;, &&, or backticks without breaking application flow.
Root Cause
The root cause is reliance on naive single-quote wrapping instead of the language-provided escapeshellarg() function. PHP's manual single-quoting does not escape embedded single quotes, leaving the shell free to interpret the rest of the line. This is a classic instance of CWE-78 where developer-supplied escaping fails to match shell parsing rules.
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker submits crafted input through the publish workflow, ensuring their controlled value reaches the on_publish.php notification branch. The payload uses a single quote followed by shell metacharacters to break out of the argument and execute attacker-supplied commands on the server.
No verified proof-of-concept code is publicly available. See the GitHub Security Advisory GHSA-xw67-cg5f-4m2r for vendor technical details.
Detection Methods for CVE-2026-45578
Indicators of Compromise
- Unexpected child processes spawned by the PHP-FPM or web server worker handling AVideo requests.
- Single-quote characters or shell metacharacters (;, |, `, $() appearing in users_id, m3u8, or liveTransmitionHistory_id fields within application logs.
- Outbound network connections initiated by the AVideo host to unfamiliar IPs shortly after live publish events.
- New or modified files under the AVideo webroot that do not correspond to legitimate uploads.
Detection Strategies
- Inspect HTTP requests to live publish endpoints for single quotes or shell metacharacters in stream identifiers and user ID parameters.
- Monitor process creation telemetry on the AVideo server for shells (/bin/sh, bash) spawned as children of PHP processes.
- Review web server access logs for anomalous POST requests to plugin/Live/on_publish.php containing encoded shell syntax.
Monitoring Recommendations
- Enable PHP error and audit logging to capture argument values passed to execAsync() calls.
- Correlate authentication events with publish notifications to flag low-privilege accounts triggering streaming workflows for the first time.
- Forward web server and host process telemetry to a centralized SIEM for cross-source correlation.
How to Mitigate CVE-2026-45578
Immediate Actions Required
- Upgrade WWBN AVideo to a version later than 29.0 once the vendor patch is available per the GitHub Security Advisory.
- Restrict access to live publishing functionality to trusted, authenticated users only.
- Audit existing user accounts and revoke unused or low-trust credentials that can reach the Live plugin.
- Review web server and PHP process logs for prior exploitation attempts referencing single quotes in publish parameters.
Patch Information
Consult the WWBN AVideo GitHub Security Advisory GHSA-xw67-cg5f-4m2r for fixed version information and upgrade instructions. The fix replaces manual single-quoting with proper invocation of escapeshellarg() on all interpolated values.
Workarounds
- Place the AVideo application behind a web application firewall and block requests containing single quotes or shell metacharacters in stream identifier fields.
- Disable the YPTSocket notification feature or the Live plugin entirely if live streaming is not required.
- Run the PHP worker under a low-privilege account with no shell access and enforce filesystem and network egress restrictions through OS-level controls.
# Example WAF rule (ModSecurity) blocking single quotes in publish parameters
SecRule ARGS:users_id|ARGS:m3u8|ARGS:liveTransmitionHistory_id "@rx ['`;|&$()]" \
"id:1004578,phase:2,deny,status:403,msg:'Possible CVE-2026-45578 command injection attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
