CVE-2026-33648

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The restreamer endpoint constructs a log file path by embedding user-controlled users id and liveTransmitionHistory id values from the JSON request body without sanitization. This log file path is then concatenated directly into shell commands passed to the exec() function, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks. The vulnerability lies in the improper handling of user-supplied input when constructing shell commands.

Recommendations Update to Commit 99b865413172045fef6a98b5e9bfc7b24da11678.