Shell Metacharacter Injection in WWBN AVideo Open Source Video Platform
CVE-2026-45578

8.8HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45578?

WWBN AVideo is an open source video platform that contains a vulnerability in versions 29.0 and earlier. The issue arises within the YPTSocket notification branch of the plugin, specifically in the on_publish.php file. Due to improper handling of string concatenation in the execAsync() command line, where arguments are single-quoted but not sanitized using escapeshellarg(), an attacker can exploit this by injecting malicious shell metacharacters. If an attacker successfully manipulates any of the interpolated values, it allows for the execution of arbitrary system commands, thereby posing significant security risks to the affected systems.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-x...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45578 Data

JSON

Wwbn

What is CVE-2026-45578?

Affected Version(s)

References

CVSS V3.1

Timeline