CVE-2026-33319 is a medium-severity OS command injection vulnerability identified in the open-source video platform WWBN AVideo, specifically affecting versions prior to 26.0. The vulnerability exists in the SocialMediaPublisher plugin's uploadVideoToLinkedIn() method, which constructs shell commands by directly embedding an upload URL obtained from LinkedIn's API response. This URL is interpolated into a shell command without proper sanitization or escaping, notably lacking the use of escapeshellarg() or equivalent functions. Consequently, if an attacker can manipulate the LinkedIn API response—through man-in-the-middle (MITM) attacks, compromised OAuth tokens, or a breach of LinkedIn's API—they can inject arbitrary OS commands. These commands execute with the privileges of the web server user running AVideo, potentially allowing attackers to execute arbitrary code, access sensitive data, or disrupt service. The vulnerability requires that the attacker have some level of privileged access (e.g., a compromised OAuth token) and does not require user interaction, which limits the attack surface but still poses a significant risk. The issue was publicly disclosed on March 22, 2026, and fixed in AVideo version 26.0. No known exploits have been reported in the wild to date. The CVSS v3.1 vector is AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, high attack complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impacts without availability impact.

The impact of this vulnerability is significant for organizations using WWBN AVideo versions prior to 26.0, especially those integrating with LinkedIn via the SocialMediaPublisher plugin. Successful exploitation allows attackers to execute arbitrary OS commands on the web server with the privileges of the web server user, which can lead to unauthorized data access, data modification, or further lateral movement within the network. Confidentiality and integrity of the system and stored data are at high risk. Although availability is not directly impacted, attackers could leverage the access to disrupt services or deploy ransomware. The requirement for a compromised OAuth token or ability to manipulate LinkedIn API responses reduces the likelihood of exploitation but does not eliminate it, especially in environments with weak token management or insecure network configurations. Organizations relying on AVideo for video content management and social media publishing may face reputational damage, data breaches, and operational disruptions if exploited.

To mitigate this vulnerability, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the issue is fixed by properly sanitizing shell command inputs using escapeshellarg() or equivalent functions. Additionally, organizations should enforce strict OAuth token management practices, including regular token rotation, use of least privilege scopes, and monitoring for suspicious token usage. Network communications with LinkedIn's API should be secured using TLS to prevent MITM attacks. Implementing network segmentation and web application firewalls (WAFs) can help detect and block suspicious command injection attempts. Code audits and penetration testing should be conducted to verify no other unsanitized shell command constructions exist. Finally, monitoring logs for unusual command execution or API response anomalies can provide early detection of exploitation attempts.