PT-2026-34216 · Avideo · Avideo

Published

2026-04-14

Updated

2026-04-25

CVE-2026-41064

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1

Description An incomplete fix in the 'test.php' file allows for unsanitized input. While the wget path was secured using escapeshellarg, the file get contents and curl code paths remain unsanitized. Additionally, the URL validation regular expression /^http/ is insufficient as it accepts strings such as 'httpevil[.]com'.

Recommendations Update to a version that includes commit 78bccae74634ead68aa6528d631c9ec4fd7aa536.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-41064

GHSA-PQ8P-WC4F-VG7J

Affected Products

Avideo

PT-2026-34216 · Avideo · Avideo

CVE-2026-41064

Weakness Enumeration

Related Identifiers

Affected Products

References · 12