CVE-2026-41304: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in WWBN AVideo
WWBN AVideo versions 29. 0 and below contain a command injection vulnerability in the CloneSite plugin's cloneServer. json. php endpoint. The vulnerability arises because user input from the 'url' parameter is directly concatenated into a shell command executed via exec() without proper sanitization. This allows an attacker to inject arbitrary shell commands, leading to remote code execution on the server. A fix for this issue is present in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
AI Analysis
Technical Summary
CVE-2026-41304 is a command injection vulnerability (CWE-77) in WWBN AVideo (<= 29.0) affecting the CloneSite plugin. The 'url' parameter is used unsafely in a shell command constructed for wget execution via PHP's exec() function. Because the input is not properly sanitized, an attacker can inject shell metacharacters to execute arbitrary commands remotely. This vulnerability allows unauthenticated remote code execution. The issue is fixed in a specific commit referenced by the vendor.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary shell commands on the server hosting the vulnerable AVideo instance. This leads to full remote code execution, potentially compromising the server and any data or services it hosts. The CVSS 4.0 score is 8.9 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available as indicated by the referenced commit 473c609fc2defdea8b937b00e86ce88eba1f15bb. Users should update AVideo to a version that includes this commit or apply the patch manually. Since no official vendor advisory or patch link is provided, verify the fix by reviewing the commit and updating accordingly. Patch status is not yet confirmed via an official advisory; check the vendor repository or project updates for the latest remediation guidance.
CVE-2026-41304: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and below contain a command injection vulnerability in the CloneSite plugin's cloneServer. json. php endpoint. The vulnerability arises because user input from the 'url' parameter is directly concatenated into a shell command executed via exec() without proper sanitization. This allows an attacker to inject arbitrary shell commands, leading to remote code execution on the server. A fix for this issue is present in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41304 is a command injection vulnerability (CWE-77) in WWBN AVideo (<= 29.0) affecting the CloneSite plugin. The 'url' parameter is used unsafely in a shell command constructed for wget execution via PHP's exec() function. Because the input is not properly sanitized, an attacker can inject shell metacharacters to execute arbitrary commands remotely. This vulnerability allows unauthenticated remote code execution. The issue is fixed in a specific commit referenced by the vendor.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary shell commands on the server hosting the vulnerable AVideo instance. This leads to full remote code execution, potentially compromising the server and any data or services it hosts. The CVSS 4.0 score is 8.9 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available as indicated by the referenced commit 473c609fc2defdea8b937b00e86ce88eba1f15bb. Users should update AVideo to a version that includes this commit or apply the patch manually. Since no official vendor advisory or patch link is provided, verify the fix by reviewing the commit and updating accordingly. Patch status is not yet confirmed via an official advisory; check the vendor repository or project updates for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.670Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e808b919fe3cd2cd05c6b5
Added to database: 4/21/2026, 11:31:05 PM
Last enriched: 4/21/2026, 11:46:07 PM
Last updated: 4/22/2026, 12:37:54 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.