QSearchQSearch

CVE-2026-45578

8.8 HIGH

WWBN AVideo is an open source video platform

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS
8.8 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78

Affected products

VendorProduct
wwbnavideo

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-47696 WWBN AVideo is an open source video platform (4.3 MEDIUM)
  • CVE-2026-47694 WWBN AVideo is an open source video platform (5.4 MEDIUM)
  • CVE-2026-46337 WWBN AVideo is an open source video platform (5.3 MEDIUM)
  • CVE-2026-45731 WWBN AVideo is an open source video platform (4.9 MEDIUM)
  • CVE-2026-45620 WWBN AVideo is an open source video platform (5.3 MEDIUM)

Same CWE

  • CVE-2026-12161 Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user ...
  • CVE-2026-48723 The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack (7.8 HIGH)
  • CVE-2026-9863 Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client in... (7.5 HIGH)
  • CVE-2026-9862 Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service (9.8 CRITICAL)
  • CVE-2026-11527 Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument... (8.6 HIGH)