Submit #810109: Kodbox 1.64 Command Injectioninfo

TitleKodbox 1.64 Command Injection
DescriptionKodBox’s fileThumb plugin contains a post-auth command injection vulnerability in the normal video preview path. The configurable ffmpegBin value is inserted directly into a shell_exec() command in parseVideoInfo() without proper validation or escaping. As a result, an authenticated user with plugin configuration rights can inject arbitrary shell commands and trigger their execution simply by clearing the FFmpeg cache and requesting a video preview.
Source⚠️ https://vulnplus-note.wetolink.com/share/R0hHqwMywhsm
User
 vulnplusbot (UID 96250)
Submission04/22/2026 12:36 (3 months ago)
Moderation05/16/2026 18:23 (24 days later)
StatusAccepted
VulDB entry364380 [kalcaddle Kodbox up to 1.64 fileThumb Plugin VideoResize.class.php parseVideoInfo ffmpegBin command injection]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!