“`html
A severe flaw in AVideo, a popular open-source video hosting and streaming solution, has been identified. Labeled as CVE-2026-29058, this zero-click vulnerability holds the highest severity score, enabling unauthenticated attackers to invoke arbitrary operating system commands on the affected server.
Unearthed by security analyst Arkmarta, the vulnerability directly impacts AVideo version 6.0 and has been officially rectified in version 7.0 and subsequent updates.
Categorized under CWE-78 due to the improper neutralization of special characters in an OS command, this network-based exploit requires no system privileges or user involvement.
If successfully exploited, attackers could totally compromise the server, appropriate sensitive configuration secrets, and completely seize control of live video streams.
AVideo Platform Vulnerability
The fundamental reason for this critical vulnerability resides within the objects/getImage.php module of the AVideo platform.
The problem arises when the application handles network requests that include a base64Url parameter.
The platform Base64-decodes this user-provided input and integrates it directly into a double-quoted ffmpeg shell command.
Although the software attempts to validate the input employing standard URL filters, this function merely verifies basic URL syntax.
It completely neglects to neutralize hazardous shell metacharacters or command substitution sequences.
Because the application fails to properly escape this untrusted information before executing the command, remote adversaries can effortlessly append harmful instructions.
This permits unauthorized individuals to execute arbitrary code, extract internal credentials, or intentionally interfere with the server’s streaming abilities.
As per the advisory on GitHub, system administrators operating AVideo-Encoder version 6.0 should upgrade to version 7.0 or above to safeguard their environments.
The officially patched version addresses the problem by implementing strict shell argument escaping, utilizing functions like escapeshellarg().
This essential fix guarantees that all user-supplied data is adequately sanitized before it interacts with the underlying command line, effectively obstructing attackers from breaking out of the intended command architecture.
If an immediate software update is not achievable, security teams must introduce temporary solutions to safeguard their streaming infrastructure.
Administrators should significantly limit access to the vulnerable objects/getImage.php endpoint at the web server or reverse proxy layer using stringent IP allowlisting.
Moreover, organizations should implement Web Application Firewall (WAF) rules intended to scrutinize and actively block suspicious Base64-encoded shell command patterns.
As a final precaution, administrators can completely disable the image retrieval component if it is not essential for the platform’s daily activities.
“`