CVE-2026-33319
AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.
| CWE | CWE-78 |
| Vendor | wwbn |
| Product | avideo |
| Published | Mar 22, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for wwbn avideo
Be the first to know when new medium vulnerabilities affecting wwbn avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
WWBN / AVideo
< 26.0