CVE-2026-41064 CRITICAL

CVE-2026-41064: AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)

Vendor Wwbn
Product AVideo
Weakness CWE-78
Published April 21, 2026
Last update April 22, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated