Vulnerability Details CVE-2026-33648
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.7%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-33648
-
cpe:2.3:a:wwbn:avideo:-
-
cpe:2.3:a:wwbn:avideo:10.1
-
cpe:2.3:a:wwbn:avideo:10.2
-
cpe:2.3:a:wwbn:avideo:10.4
-
cpe:2.3:a:wwbn:avideo:10.8
-
cpe:2.3:a:wwbn:avideo:11
-
cpe:2.3:a:wwbn:avideo:11.1
-
cpe:2.3:a:wwbn:avideo:11.1.1
-
cpe:2.3:a:wwbn:avideo:11.5
-
cpe:2.3:a:wwbn:avideo:11.6
-
cpe:2.3:a:wwbn:avideo:12.4
-
cpe:2.3:a:wwbn:avideo:14.2
-
cpe:2.3:a:wwbn:avideo:14.3
-
cpe:2.3:a:wwbn:avideo:14.3.1
-
cpe:2.3:a:wwbn:avideo:14.4
-
cpe:2.3:a:wwbn:avideo:2.2
-
cpe:2.3:a:wwbn:avideo:2.4
-
cpe:2.3:a:wwbn:avideo:2.7
-
cpe:2.3:a:wwbn:avideo:3.4
-
cpe:2.3:a:wwbn:avideo:3.4.1
-
cpe:2.3:a:wwbn:avideo:4.0
-
cpe:2.3:a:wwbn:avideo:4.0.1
-
cpe:2.3:a:wwbn:avideo:4.0.2
-
cpe:2.3:a:wwbn:avideo:5.0
-
cpe:2.3:a:wwbn:avideo:6.5
-
cpe:2.3:a:wwbn:avideo:7.2
-
cpe:2.3:a:wwbn:avideo:7.3
-
cpe:2.3:a:wwbn:avideo:7.4
-
cpe:2.3:a:wwbn:avideo:7.5
-
cpe:2.3:a:wwbn:avideo:7.6
-
cpe:2.3:a:wwbn:avideo:7.7
-
cpe:2.3:a:wwbn:avideo:7.8
-
cpe:2.3:a:wwbn:avideo:8.1
-
cpe:2.3:a:wwbn:avideo:8.5
-
cpe:2.3:a:wwbn:avideo:8.6
-
cpe:2.3:a:wwbn:avideo:8.7
-
cpe:2.3:a:wwbn:avideo:8.9
-
cpe:2.3:a:wwbn:avideo:8.9.1