WWBN AVideo, an open-source video platform, suffers from an OS command injection vulnerability identified as CVE-2026-33482 affecting versions up to and including 26.0. The vulnerability exists in the sanitizeFFmpegCommand() function located in plugin/API/standAlone/functions.php, which attempts to sanitize ffmpeg command inputs by removing dangerous shell metacharacters such as &&, ;, |, backticks, <, and >. However, it fails to sanitize the bash command substitution syntax $(), which allows an attacker to inject arbitrary commands. The sanitized command is executed within a double-quoted sh -c context by the execAsync() function, enabling command injection via crafted payloads. An attacker capable of delivering a valid encrypted payload can execute arbitrary OS commands on the standalone encoder server, potentially compromising the entire system. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Although no known exploits are currently reported in the wild, the CVSS v3.1 score of 8.1 reflects the high impact and potential severity of this flaw. A patch has been committed (commit 25c8ab90269e3a01fb4cf205b40a373487f022e1) to address this issue by properly sanitizing the command input to remove the $() syntax.

The vulnerability allows remote attackers to execute arbitrary OS commands on the standalone encoder server without authentication or user interaction, leading to full system compromise. This can result in unauthorized access to sensitive video content, manipulation or deletion of data, disruption of video streaming services, and potential lateral movement within the network. The confidentiality, integrity, and availability of the affected systems are severely impacted. Organizations relying on AVideo for video hosting or streaming services face risks of data breaches, service outages, and reputational damage. Since the encoder server typically handles media processing, exploitation could also enable attackers to inject malicious content or disrupt media workflows. The high CVSS score reflects the critical nature of this vulnerability in environments where AVideo is deployed.

1. Immediately apply the official patch from the WWBN AVideo project (commit 25c8ab90269e3a01fb4cf205b40a373487f022e1) that properly sanitizes the $() syntax in ffmpeg commands. 2. Restrict network access to the standalone encoder server to trusted administrators and systems only, using firewalls and network segmentation. 3. Implement strict input validation and sanitization on all user-supplied data that may influence command execution, beyond relying solely on sanitizeFFmpegCommand(). 4. Monitor logs and system behavior for unusual command execution patterns or unexpected processes spawned by ffmpeg commands. 5. Consider running the encoder server with least privilege, using containerization or sandboxing to limit the impact of potential exploitation. 6. Regularly update AVideo and dependencies to incorporate security fixes. 7. Educate developers and administrators about secure coding practices related to command execution and shell metacharacter handling.