CVE-2026-33648: AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

March 25, 2026

The restreamer endpoint constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/99b865413172045fef6a98b5e9bfc7b24da11678
github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw
github.com/advisories/GHSA-5m4q-5cvx-36mw
nvd.nist.gov/vuln/detail/CVE-2026-33648

Code Behaviors & Features

Detect and mitigate CVE-2026-33648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →