CVE-2026-33478

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo, an open source video platform, has multiple security issues within its CloneSite plugin that, when combined, allow a completely unauthenticated attacker to execute code remotely. The clones.json.php endpoint does not require authentication and exposes clone secret keys. These keys can be used to initiate a full database dump through the cloneServer.json.php endpoint. The database dump contains admin password hashes stored using the MD5 algorithm, which are easily cracked. Once an attacker gains administrative access, they can exploit an operating system command injection flaw in the rsync command construction within cloneClient.json.php to execute arbitrary system commands. The vulnerability involves a chain of exploits: disclosure of clone keys, database dump, extraction of admin credentials, and command injection. Approximately 17,100 instances of AVideo have been identified online in the past year. The plugin/CloneSite/clones.json.php endpoint returns clone keys without authentication. The plugin/CloneSite/cloneServer.json.php endpoint uses the mysqldump command to create a database dump and stores it in a web-accessible directory. Passwords are stored as unsalted MD5 hashes in the objects/user.php file. The plugin/CloneSite/cloneClient.json.php endpoint constructs an rsync command that is vulnerable to command injection due to unsanitized input.

Recommendations Versions up to and including 26.0: Add authentication to the clones.json.php endpoint to require administrator privileges. Versions up to and including 26.0: Do not store SQL dumps in web-accessible directories; use a path outside the web root or require re-authentication to download them. Versions up to and including 26.0: Replace the MD5 password hashing algorithm with password hash() using bcrypt or argon2. Versions up to and including 26.0: Sanitize parameters used in the rsync command by using escapeshellarg() on all interpolated values.