← Zuruck zu CVEs
CVE-2026-33319
MEDIUM5.9
Beschreibung
WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.
CVE Details
CVSS v3.1 Bewertung5.9
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienHIGH
BenutzerinteraktionNONE
Veroffentlicht3/22/2026
Zuletzt geandert3/24/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
wwbn:avideo
Schwachen (CWE)
CWE-78
Referenzen
https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b(security-advisories@github.com)
https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.