CVE-2026-29058

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 7.0

Description AVideo is a video-sharing Platform software susceptible to unauthenticated Remote Code Execution (RCE). An attacker can inject shell command substitution into the base64Url GET parameter, potentially leading to full server compromise, data exfiltration, and service disruption. The issue resides in the improper handling of user-supplied input within shell commands, specifically in files objects/getImage.php and objects/security.php, utilizing functions like shell exec and nohup. The root cause is the lack of proper shell escaping when decoding and interpolating the base64Url parameter into shell commands. The FILTER VALIDATE URL validation does not prevent shell metacharacters from being interpreted by the shell.

Recommendations Update to version 7.0 to resolve the issue. Restrict access to the objects/getImage.php file at the web server or reverse proxy layer. Apply Web Application Firewall (WAF) rules to block suspicious patterns and limit exposure.