CVE-2026-41064 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: April 22, 2026
WWBN AVideo - Command Injection
Overview
WWBN AVideo <= 29.0 contains a command injection caused by incomplete sanitization of URL inputs in file_get_contents and curl code paths, letting attackers execute arbitrary commands, exploit requires crafted URL input.
Severity & Score
Impact
Attackers can execute arbitrary commands on the server, potentially leading to full system compromise.
Mitigation
Update to the version including commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 or later.
References
Social Media Activity(2 posts)
🛑 CRITICAL: WWBN AVideo <=29.0 vulnerable to OS command injection (CVE-2026-41064, CVSS 9.3). Unauthenticated attackers can exploit weak URL validation to run arbitrary commands. No official patch — see commit for fix details. https://radar.offseq.com/threat/cve-2026-41064-cwe-78-improper-neutralization-of-s-446caa6f #OffSeq #CVE202641064 #infosec
View original post
🛑 CRITICAL: WWBN AVideo <=29.0 vulnerable to OS command injection (CVE-2026-41064, CVSS 9.3). Unauthenticated attackers can exploit weak URL validation to run arbitrary commands. No official patch — see commit for fix details. https://radar.offseq.com/threat/cve-2026-41064-cwe-78-improper-neutralization-of-s-446caa6f #OffSeq #CVE202641064 #infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-41064
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N