GHSA-xr6f-h4x7-r6qp: WWBN AVideo: RCE cause by clonesite plugin

April 16, 2026

The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection.

An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb
github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp
github.com/advisories/GHSA-xr6f-h4x7-r6qp

Code Behaviors & Features

Detect and mitigate GHSA-xr6f-h4x7-r6qp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →