CVE-2026-33319: AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

March 19, 2026

The uploadVideoToLinkedIn() method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn’s API response, without sanitization via escapeshellarg(). If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc
github.com/advisories/GHSA-w5ff-2mjc-4phc
nvd.nist.gov/vuln/detail/CVE-2026-33319

Code Behaviors & Features

Detect and mitigate CVE-2026-33319 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →