CVE-2026-63304 in AVideoinfo

Summary

by MITRE • 07/16/2026

AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function interpolates unsanitized keyword parameters inside single quotes without escaping. Attackers who can craft a valid encrypted codeToExec payload can break out of the single-quoted grep context and execute arbitrary OS commands as the web-server user.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability exists within Video through version 29.0 in the plugin/API/standAlone/functions.php file where the listFFmpegProcesses() function fails to properly sanitize user input before incorporating it into operating system commands. The flaw manifests when keyword parameters are interpolated directly into single-quoted grep contexts without appropriate escaping mechanisms, creating a classic operating system command injection vulnerability that falls under CWE-78. The specific implementation uses shell commands that execute grep with user-supplied parameters within single quotes, which provides insufficient protection against malicious input containing shell metacharacters.

The attack vector requires an adversary to craft a valid encrypted codeToExec payload that can manipulate the execution flow of the system commands. When the vulnerable function processes this payload, it allows attackers to escape the single-quoted grep context through carefully crafted input sequences that exploit the lack of proper escaping. This enables arbitrary command execution with the privileges of the web server user, which typically runs with limited but potentially elevated permissions depending on the hosting environment configuration.

The operational impact of this vulnerability is significant as it provides attackers with a direct path to execute arbitrary operating system commands on the affected server. The web server user context typically has access to the application files, database connections, and potentially other system resources that could be leveraged for further compromise. This type of vulnerability enables attackers to establish persistent access, escalate privileges, exfiltrate data, or deploy additional malicious payloads within the compromised environment.

Mitigation strategies should focus on implementing proper input sanitization and command execution practices. The primary fix involves escaping all user-supplied parameters before incorporating them into shell commands, specifically using functions like escapeshellarg() in php to properly escape single-quoted contexts. Additionally, implementing principle of least privilege for web server accounts, employing input validation frameworks, and utilizing secure coding practices that avoid direct shell command construction with user input are essential measures. Organizations should also consider implementing web application firewalls and monitoring for suspicious command execution patterns as part of their defensive posture. This vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1068 for exploit for privilege escalation, making it a critical target for immediate remediation efforts.

Responsible

VulnCheck

Reservation

07/16/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!