CVE-2026-29058: WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php

March 3, 2026 (updated March 6, 2026)

An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.

References

github.com/WWBN/AVideo-Encoder
github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q
github.com/advisories/GHSA-9j26-99jh-v26q
nvd.nist.gov/vuln/detail/CVE-2026-29058

Code Behaviors & Features

Detect and mitigate CVE-2026-29058 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →