CVE-2026-41064: WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
(updated )
The incomplete fix for AVideo’s test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com.
References
- github.com/WWBN/AVideo
- github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
- github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536
- github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
- github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j
- github.com/advisories/GHSA-pq8p-wc4f-vg7j
- nvd.nist.gov/vuln/detail/CVE-2026-33502
- nvd.nist.gov/vuln/detail/CVE-2026-41064
Code Behaviors & Features
Detect and mitigate CVE-2026-41064 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →