WWBN AVideo, an open-source video platform, suffers from a critical vulnerability (CVE-2026-33478) in its CloneSite plugin up to version 26.0. The vulnerability chain begins with the `clones.json.php` endpoint, which exposes clone secret keys without any authentication. These keys enable attackers to invoke the `cloneServer.json.php` endpoint to perform a full database dump. The dumped database includes admin password hashes stored using MD5, a weak hashing algorithm that can be easily cracked. Once admin credentials are obtained, attackers can access the `cloneClient.json.php` endpoint, where an OS command injection flaw exists in the construction of an rsync command. This injection allows arbitrary system command execution on the server hosting AVideo. The vulnerability is severe because it requires no authentication or user interaction, affects confidentiality (database and credentials exposure), integrity (arbitrary command execution), and availability (potential system compromise). The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-284 (Improper Access Control). A patch has been committed (commit c85d076375fab095a14170df7ddb27058134d38c) to fix these issues.

The impact of CVE-2026-33478 is severe and wide-ranging. Attackers can gain full remote code execution on affected AVideo servers without any authentication, leading to complete system compromise. Confidential data, including user information and admin credentials, can be stolen or manipulated. The use of weak MD5 hashes for admin passwords facilitates quick credential cracking, escalating privileges easily. This can result in data breaches, service disruption, defacement, or use of the compromised server as a pivot point for further attacks within an organization’s network. Given AVideo’s role as a video platform, organizations relying on it for content delivery or internal communications face risks of operational downtime and reputational damage. The vulnerability’s ease of exploitation and full impact on confidentiality, integrity, and availability make it a critical threat globally.

Organizations should immediately upgrade WWBN AVideo to a version later than 26.0 where the patch (commit c85d076375fab095a14170df7ddb27058134d38c) has been applied. If upgrading is not immediately possible, restrict access to the vulnerable endpoints (`clones.json.php`, `cloneServer.json.php`, and `cloneClient.json.php`) via network-level controls such as firewalls or web application firewalls (WAFs). Implement strict access controls and authentication mechanisms around these endpoints. Replace MD5 password hashes with a strong, modern hashing algorithm like bcrypt or Argon2 to prevent easy cracking. Conduct thorough audits of server logs and systems for signs of compromise. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect anomalous command execution attempts. Regularly monitor for updates from WWBN and apply security patches promptly. Finally, consider isolating AVideo servers in segmented network zones to limit lateral movement if compromised.