CVE-2026-29058
Impact
An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption.
Root Cause
The base64Url parameter is Base64-decoded and then interpolated directly into a double-quoted ffmpeg shell command without proper shell escaping. The upstream validation uses FILTERVALIDATEURL, which validates URL syntax but does not prevent shell metacharacters / command substitution sequences from being interpreted by the shell.
Affected Components
objects/getImage.phpobjects/security.php- Execution path via async command execution helper (
shell_exec/nohup)
Patches
Apply strict shell argument escaping (e.g., escapeshellarg()) to all user-supplied values before building any shell command, and avoid double-quoted interpolation of untrusted input. Prefer safer process execution patterns where possible.
Workarounds
- Restrict access to
objects/getImage.phpat the web server / reverse proxy layer (IP allowlist, auth, or disable endpoint if not needed). - Apply WAF rules to block suspicious patterns and limit exposure until a patch is deployed.
Resources
- Report: "Unauthenticated OS Command Injection in AVideo-Encoder"
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q, https://github.com/WWBN/AVideo-Encoder
Basic Information
