CVE-2026-29058 Avideo — Exploit & Vulnerability Details CRITICAL

CVE-2026-29058

CRITICAL CVSS 3.1: 9.8 EPSS 0.10%

Parameter	Value
CVSS	9.8 (CRITICAL)
Fixed In	7.0
Type	CWE-78 (OS Command Injection (Внедрение команд ОС))
Vendor	Avideo
Public PoC	No

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.

This issue has been patched in version 7.0.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

High

Полная модификация данных

Availability

High

Полный отказ в обслуживании

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection (Внедрение команд ОС)

References 1

https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q

security-advisories@github.com

Share Post Share Share Share

Menu

CVE-2026-29058

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 1

CVE Details

Editor's Choice