CVE-2026-33482

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0

Description The sanitizeFFmpegCommand() function in plugin/API/standAlone/functions.php inadequately filters shell metacharacters, specifically failing to remove $() (bash command substitution syntax). This function is intended to prevent OS command injection in ffmpeg commands. Because the sanitized command is executed within a double-quoted sh -c context in execAsync(), an attacker with a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server. The encryption key is derived from sha256(saltV2) on the main server, where saltV2 is generated using cryptographically strong random bytes. The IV is derived from sha256(systemRootPath). Legacy installations may use a weaker salt. The decryptString API endpoint (API.php:5963) is unauthenticated, allowing for probing but not payload crafting. The attack complexity is high due to the encryption key requirement, but the impact is critical once bypassed.

Recommendations Versions up to and including 26.0: Replace the current sanitization method with a more robust approach that strips all shell metacharacters, including command substitution, using the following regular expression: /[;|<>$(){}]/. Alternatively, parse the ffmpeg arguments and use escapeshellarg()` on each individual argument before reassembling the command to eliminate the need for a denylist.