CVE-2026-29058 is an OS command injection vulnerability classified under CWE-78 affecting WWBN's AVideo-Encoder software prior to version 7.0. The vulnerability arises from improper neutralization of special elements in the base64Url GET parameter, which allows an attacker to inject shell command substitutions. Because the parameter is not properly sanitized, an attacker can craft malicious input that the server executes as OS commands. This flaw requires no authentication or user interaction, making it highly exploitable remotely. Successful exploitation can lead to arbitrary code execution with the privileges of the web server process, potentially resulting in full server compromise. Attackers could exfiltrate sensitive data such as configuration files, internal keys, and credentials, or disrupt service availability. Although no known exploits are reported in the wild yet, the critical CVSS score of 9.8 reflects the high risk. The vulnerability was publicly disclosed on March 6, 2026, and has been addressed in AVideo-Encoder version 7.0 by implementing proper input validation and sanitization.

The impact of CVE-2026-29058 is severe for organizations running vulnerable versions of AVideo-Encoder. Exploitation can lead to complete server takeover, allowing attackers to execute arbitrary commands, steal sensitive data including credentials and cryptographic keys, and disrupt video-sharing services. This can result in significant operational downtime, loss of user trust, and potential regulatory penalties if sensitive user data is compromised. Given the unauthenticated nature of the attack, threat actors can easily scan for vulnerable instances and exploit them en masse. Organizations relying on AVideo-Encoder for video content delivery or internal media management face risks to confidentiality, integrity, and availability. The potential for lateral movement within networks after initial compromise further elevates the threat.

To mitigate this vulnerability, organizations should immediately upgrade AVideo-Encoder to version 7.0 or later, where the issue is patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the base64Url GET parameter to prevent shell command injection. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns targeting this parameter. Restrict the privileges of the web server process to minimize the impact of potential exploitation. Monitor logs for unusual requests containing shell metacharacters or base64Url parameter anomalies. Conduct regular vulnerability scans to identify outdated AVideo-Encoder instances. Finally, ensure proper network segmentation to limit lateral movement if a compromise occurs.