CRITICAL: CVE-2026-41064 (CVSS 9.3) — wwbn avideo
CVE: CVE-2026-41064
CVSS: 9.3 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Severity: CRITICAL
Status: Critical advisory
Affected
- wwbn avideo
Summary
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil[.]com. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
Verified Sources
References
- https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
- https://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536
- https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
- https://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j
- https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NVD
- [2]GitHub Advisory
- [3]MITRE