Remote Code Execution Vulnerability in WWBN AVideo's CloneSite Plugin
CVE-2026-33478

10CRITICAL

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-33478?

The CloneSite plugin in WWBN AVideo, an open-source video platform, has multiple vulnerabilities that allow unauthenticated attackers to execute remote code. The clones.json.php endpoint exposes clone secret keys, enabling attackers to trigger a complete database dump through cloneServer.json.php. This dump includes admin password hashes in MD5 format, which can be easily cracked. With administrative access, attackers can exploit an OS command injection due to faulty rsync command construction in cloneClient.json.php, allowing arbitrary command execution on the server. A patch has been introduced in commit c85d076375fab095a14170df7ddb27058134d38c to remediate these issues.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-6...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/c85d076375fab095a14...

x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33478 Data

JSON

Wwbn

What is CVE-2026-33478?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline