WWBN AVideo, an open source video platform, suffers from an OS command injection vulnerability (CWE-78) in its test.php script in versions up to 29.0. The initial fix applied escapeshellarg only to the wget command, but left other code paths such as file_get_contents and curl unsanitized. The URL validation uses a regex /^http/ which incorrectly accepts strings like 'httpevil.com', allowing potentially malicious input to reach OS commands. This flaw can lead to command injection with high confidentiality impact and limited integrity impact, as reflected by a CVSS 3.1 score of 9.3. An updated fix is referenced by a specific commit, but no official patch or advisory is documented in the provided data.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary OS commands on the server hosting AVideo, potentially leading to full confidentiality compromise of the system. The CVSS score of 9.3 indicates critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and scope change. Integrity impact is limited, and availability is not affected. No known exploits in the wild have been reported as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The provided data references a commit that contains an updated fix, suggesting a patch exists in the source repository. Until an official patch is released and applied, users should avoid using affected versions (<= 29.0) and monitor the vendor's repository or advisory channels for the official fix. No vendor advisory or official remediation level is provided in the data.