Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
AVideo 7.0 or earlier: Unauthenticated attackers can take control of the server
CVE-2026-29058
GHSA-9j26-99jh-v26q
GHSA-9j26-99jh-v26q
Summary
An attacker can take control of your AVideo server and steal sensitive information without needing a login. This can happen if you're using an outdated version of AVideo. Update to version 7.0 or later to fix this issue.
What to do
- Update wwbn avideo to version 7.0.0.
- Update wwbn wwbn/avideo to version 7.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 7.0.0 | 7.0.0 |
| wwbn | wwbn/avideo | <= 7.0.0 | 7.0.0 |
| wwbn | avideo-encoder | <= 7.0 | – |
Original title
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base6...
Original description
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026