CVE-2026-33478 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: March 23, 2026
WWBN AVideo - Remote Code Execution
Overview
WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary system commands, leading to full server compromise.
Mitigation
Update to the version including commit c85d076375fab095a14170df7ddb27058134d38c or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-33478 - Critical (10) WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.j... š https://www.thehackerwire.com/vulnerability/CVE-2026-33478/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-33478 - Critical (10) WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.j... š https://www.thehackerwire.com/vulnerability/CVE-2026-33478/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33478
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H