CVE-2026-33482 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 23, 2026
WWBN AVideo - Command Injection
Overview
WWBN AVideo <= 26.0 contains a command injection caused by incomplete sanitization of ffmpeg commands allowing bash command substitution ($()) in plugin/API/standAlone/functions.php, letting attackers execute arbitrary OS commands on the standalone encoder server, exploit requires crafting a valid encrypted payload.
Severity & Score
Impact
Attackers can execute arbitrary OS commands on the standalone encoder server, potentially leading to full system compromise.
Mitigation
Update to the version including commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 or later.
References
Social Media Activity(2 posts)
š CVE-2026-33482 - High (8.1) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangero... š https://www.thehackerwire.com/vulnerability/CVE-2026-33482/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33482 - High (8.1) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangero... š https://www.thehackerwire.com/vulnerability/CVE-2026-33482/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33482
- Severity
- High
- CVSS Score
- 8.1
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H