GMS-2023-226: AVideo contains Command injection when embedding a video link

February 2, 2023 (updated June 22, 2026)

Impact:

An attacker could execute remote code on a system running wwbn/avideo

Step to Reproduce:

Go to the My Videos tab

https://demo.avideo.com/mvideos

Click “Embed a video link”

Append a command to the url as a query string. eg. ?whoami

then click Save

This issue has been resolved in commit 236228f15

References

github.com/WWBN/AVideo/commit/236228f15a9a31be5a0e60f05dac043682e49a5e
github.com/WWBN/AVideo/security/advisories/GHSA-pgvh-p3g4-86jw
github.com/advisories/GHSA-pgvh-p3g4-86jw
nvd.nist.gov/vuln/detail/CVE-2023-25313
nvd.nist.gov/vuln/detail/CVE-2023-30842

Code Behaviors & Features

Detect and mitigate GMS-2023-226 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →