CVE-2026-45578: WWBN AVideo Command Injection – RCE via Live Streaming
WWBN AVideo, an open-source video streaming platform, contains a command injection vulnerability in its live streaming notification system. An authenticated attacker can inject shell commands by crafting input with special characters, allowing them to execute arbitrary code on the server. The flaw exists because the application builds system commands by concatenating user-supplied values without properly escaping shell metacharacters.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45578 is a shell metacharacter injection vulnerability (CWE-78) in WWBN AVideo version 29.0 and earlier. The YPTSocket notification handler in plugin/Live/on_publish.php constructs an execAsync() command by string concatenation, single-quoting each argument ($users_id, $m3u8, $obj->liveTransmitionHistory_id) but neglecting to call escapeshellarg(). An attacker who can control any of these three parameters can terminate the quoted token with a single quote and append arbitrary shell commands that will execute with the privileges of the web server process.
Business impact
Successful exploitation grants an authenticated attacker remote code execution on affected servers. An attacker with valid credentials—such as a live streamer or privileged user—can compromise the entire server, access sensitive streaming data, manipulate broadcast content, establish persistence, or pivot to other systems on the network. For platforms hosting user-generated video content, this represents a severe data confidentiality and integrity risk.
Affected systems
WWBN AVideo version 29.0 and earlier are vulnerable. Organizations running self-hosted AVideo instances should inventory their deployments and determine current version levels immediately.
Exploitability
Exploitation requires authentication (PR:L in the CVSS vector), reducing opportunistic attack surface but not eliminating risk. The vulnerability is trivial to exploit once an attacker gains valid credentials—no complex exploitation technique is required, only string injection. The attack is over the network and does not require user interaction.
Remediation
Upgrade WWBN AVideo to a patched version released after the vulnerability disclosure. Verify the specific version number against the vendor's official advisory and release notes. As an interim measure, restrict access to live streaming features to trusted users, apply network segmentation to limit access to AVideo servers, and monitor for suspicious shell command patterns in application logs.
Patch guidance
Check the official WWBN AVideo repository and release announcements for version 30.0 or later, which should include fixes for this command injection. Apply patches to all instances running version 29.0 or earlier. Test patches in a staging environment before production deployment to ensure compatibility with existing configurations and extensions.
Detection guidance
Monitor application logs and system audit logs for unusual execAsync() calls originating from the on_publish.php handler. Look for single-quote characters in livestream user IDs, m3u8 parameters, or transmission history IDs followed by shell metacharacters (e.g., backticks, $(), pipe, semicolon, ampersand). Correlate suspicious log entries with authentication events to identify compromised accounts. Web application firewalls (WAF) can be configured to detect and block requests containing shell metacharacters in these specific parameters.
Why prioritize this
This vulnerability merits urgent patching despite not yet appearing on the CISA KEV list. The combination of a high CVSS score (8.8), straightforward exploitation, and powerful impact (remote code execution) makes it attractive to opportunistic attackers. Authentication requirement provides a modest control, but legitimate credentials can be compromised or misused. Prioritize patching internet-facing AVideo instances above internal deployments, and prioritize any instances processing sensitive or regulated video content.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects high severity: the vulnerability grants an authenticated attacker complete control over confidentiality, integrity, and availability of the affected system (C:H/I:H/A:H). The network-accessible attack vector (AV:N) and low complexity (AC:L) mean that weaponization is trivial. The presence of an authentication requirement (PR:L) prevents completely unauthenticated exploitation, preventing the score from reaching critical (9.0+) but does not materially reduce real-world risk in environments where user credentials are shared, reused, or otherwise compromised.
Frequently asked questions
Does this vulnerability affect my AVideo deployment if I only use it for internal use?
Vulnerability severity depends on both the sensitivity of your content and the trust level of your user base. Internal deployments do benefit from a reduced attack surface, but disgruntled insiders or compromised internal credentials remain a threat. All instances running version 29.0 or earlier should be patched or migrated to patched versions regardless of deployment model.
Can I safely use temporary mitigations instead of upgrading?
Interim controls such as network segmentation, VPN-only access, and credential rotation reduce risk but do not eliminate it. These mitigations are appropriate as a temporary measure while testing patches in staging, but patching should remain the priority. Command injection vulnerabilities are difficult to reliably block without architectural changes.
How do I check which version of AVideo I'm running?
Check the admin panel settings or version file typically located in the application root or config directory. Refer to the official WWBN AVideo documentation for your specific release. Once confirmed, cross-reference against vendor advisories to determine if an update is available.
Is this vulnerability exploitable without a valid account?
No. The CVSS vector specifies PR:L (low privilege required), meaning the attacker must authenticate. However, this does not mean the vulnerability is low-risk; compromised or shared credentials, social engineering, default credentials, or credential stuffing could provide an attacker with valid access.
This analysis is based on vulnerability disclosures and vendor advisories current as of the publication date. Exploit code, proof-of-concept demonstrations, and weaponized payloads are intentionally not provided. Organizations should verify patch availability and compatibility against official vendor releases and conduct thorough testing before deploying patches to production systems. This information is for defensive security purposes only. Unauthorized access to computer systems is illegal. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability