CVE-2026-29058

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 7.0

Description AVideo is a video-sharing Platform software susceptible to unauthenticated Remote Code Execution (RCE). An attacker can inject shell command substitution into the

base64Url

GET parameter, potentially leading to full server compromise, data exfiltration, and service disruption. The issue resides in the improper handling of user-supplied input within shell commands, specifically in files

objects/getImage.php

and

objects/security.php

, utilizing functions like

shell exec

and

nohup

. The root cause is the lack of proper shell escaping when decoding and interpolating the

base64Url

parameter into shell commands. The

FILTER VALIDATE URL

validation does not prevent shell metacharacters from being interpreted by the shell.

Recommendations Update to version 7.0 to resolve the issue. Restrict access to the

objects/getImage.php

file at the web server or reverse proxy layer. Apply Web Application Firewall (WAF) rules to block suspicious patterns and limit exposure.