CVE-2026-8753

Name of the Vulnerable Software and Affected Versions kalcaddle Kodbox versions prior to 1.65

Description Command injection is possible via remote attack in the fileThumb Plugin. The issue exists within the parseVideoInfo() function located in the /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php file, where improper manipulation of the ffmpegBin argument allows for the execution of arbitrary commands.

Recommendations Update to a version later than 1.64. As a temporary workaround, restrict access to the fileThumb Plugin or the parseVideoInfo() function to minimize the risk of exploitation.