CVE-2026-45578

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description A shell-metacharacter injection exists in the YPTSocket notification branch within the plugin/Live/on publish.php file. The application constructs a command line for the execAsync() function using string concatenation and literal single quotes instead of using the escapeshellarg() function. This allows an attacker to close the quoted token by inserting a single quote into the $users id, $m3u8, or $obj->liveTransmitionHistory id variables, enabling the execution of arbitrary OS commands with the privileges of the web-server runtime user.

The issue is reachable via a direct HTTP POST request to the endpoint "/plugin/Live/on publish.php".

Recommendations Update to a version where escapeshellarg() is applied to all variables interpolated into the command string in plugin/Live/on publish.php. As a temporary mitigation, restrict access to the "/plugin/Live/on publish.php" endpoint to only allow requests from 127.0.0.1 and configured RTMP server IPs via .htaccess or nginx location rules.