CVE-2026-33648 is an OS command injection vulnerability identified in the WWBN AVideo open source video platform, affecting all versions up to and including 26.0. The vulnerability arises from the restreamer endpoint's unsafe handling of user input: specifically, the 'users_id' and 'liveTransmitionHistory_id' fields extracted from the JSON request body are embedded directly into a log file path string without any sanitization or validation. This constructed path is then concatenated into shell commands executed via PHP's exec() function. Because the input is not neutralized, an authenticated attacker can inject shell metacharacters such as $() or backticks to execute arbitrary commands on the underlying server operating system. This can lead to full system compromise, data theft, or service disruption. The vulnerability requires the attacker to be authenticated but does not require additional user interaction. The issue is tracked under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). A patch has been committed (commit 99b865413172045fef6a98b5e9bfc7b24da11678) that properly sanitizes inputs to prevent command injection. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required.

The impact of CVE-2026-33648 is significant for organizations using WWBN AVideo versions up to 26.0. Successful exploitation allows authenticated attackers to execute arbitrary OS commands, potentially leading to full server compromise. This can result in unauthorized data access or exfiltration, modification or deletion of critical data, disruption of video streaming services, and potential lateral movement within the network. Given that AVideo is a video platform, attackers could also manipulate or disrupt media content delivery, damaging organizational reputation and causing operational downtime. The vulnerability affects confidentiality, integrity, and availability simultaneously, making it a critical risk for service providers, media companies, educational institutions, and any organization relying on AVideo for video streaming. The requirement for authentication limits exposure somewhat, but insider threats or compromised credentials increase risk. No known exploits are currently reported in the wild, but the straightforward exploitation method suggests attackers may develop exploits rapidly.

To mitigate CVE-2026-33648, organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 99b865413172045fef6a98b5e9bfc7b24da11678 or later. If upgrading is not immediately possible, implement strict input validation and sanitization on the 'users_id' and 'liveTransmitionHistory_id' parameters at the application or web server level to block shell metacharacters and command injection patterns. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the restreamer endpoint. Restrict access to the restreamer endpoint to trusted users and networks, and enforce strong authentication and credential management to reduce the risk of compromised accounts. Monitor logs for unusual command execution patterns or anomalies in the restreamer service. Conduct regular security audits and penetration testing focusing on injection vulnerabilities. Finally, educate developers on secure coding practices to avoid direct concatenation of user input into shell commands.