CRITICAL: CVE-2026-41304 (CVSS 9.8) — wwbn avideo
CVE: CVE-2026-41304
CVSS: 9.8 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL
Status: Critical advisory
Affected
- wwbn avideo
Summary
WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
Verified Sources
References
- https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp
_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NVD
- [2]GitHub Advisory
- [3]MITRE