Insecure Code Paths in WWBN AVideo Video Platform
CVE-2026-41064

9.3CRITICAL

Key Information:

Vendor

Wwbn

Status
Avideo
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41064?

WWBN AVideo is a widely used open-source video platform that presents a security concern in versions up to and including 29.0. The vulnerability arises from an incomplete fix in the handling of user-supplied URLs. While the incorporation of escapeshellarg for the wget command enhances security, the file_get_contents and curl methods remain unprotected. This oversight allows potentially malicious URLs, as the regex for URL validation /^http/ incorrectly permits strings like httpevil[.]com, which could lead to unauthorized access or exposure of sensitive data. An updated fix addressing these flaws can be found in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536. For more details, refer to the security advisories linked in the references.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-p...
x_refsource_CONFIRM
https://github.com/WWBN/AVideo/security/advisories/GHSA-3...
x_refsource_MISC
https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a531820...
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.