CVE-2026-33648 is an OS command injection vulnerability identified in WWBN AVideo, an open-source video platform widely used for video streaming and management. The vulnerability affects all versions up to and including 26.0. The root cause lies in the restreamer endpoint, which constructs a log file path by embedding two user-controlled parameters, `users_id` and `liveTransmitionHistory_id`, directly from the JSON request body into shell commands executed via PHP's `exec()` function. Because these inputs are not sanitized or neutralized, an authenticated attacker can inject shell metacharacters such as `$()` or backticks to execute arbitrary OS commands with the privileges of the web server process. This can lead to full system compromise, data exfiltration, or service disruption. The vulnerability requires authentication but no additional user interaction. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity. A patch has been committed (commit 99b865413172045fef6a98b5e9bfc7b24da11678) that properly sanitizes inputs to prevent command injection. No known exploits are reported in the wild yet, but the vulnerability is critical enough to warrant immediate remediation.

The impact of this vulnerability is severe for organizations using WWBN AVideo versions up to 26.0. Successful exploitation allows an authenticated attacker to execute arbitrary commands on the underlying server, potentially leading to complete system compromise. This can result in unauthorized data access or modification, service disruption, deployment of malware or ransomware, and lateral movement within the network. Given that AVideo is often used to manage and stream video content, attackers could also manipulate or delete valuable media assets, impacting business operations and reputation. The vulnerability affects confidentiality, integrity, and availability simultaneously. Since exploitation requires only authentication and no user interaction, insider threats or compromised credentials could be leveraged easily. Organizations relying on AVideo for video delivery or content management face significant operational and security risks if unpatched.

To mitigate this vulnerability, organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 99b865413172045fef6a98b5e9bfc7b24da11678 or later. If upgrading is not immediately possible, implement strict input validation and sanitization on the `users_id` and `liveTransmitionHistory_id` parameters to neutralize shell metacharacters before they reach the `exec()` call. Restrict access to the restreamer endpoint to trusted authenticated users only, and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Monitor server logs for suspicious command execution patterns or unexpected shell activity. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. Regularly audit and review user privileges to minimize the number of accounts with access to vulnerable endpoints. Finally, conduct penetration testing and code reviews focusing on command injection vectors in custom deployments.