Critical RCE in WWBN AVideo: Incomplete Patch Leaves Open Source Platform Exposed

The National Vulnerability Database highlights CVE-2026-41064, a critical vulnerability (CVSS 9.3) affecting WWBN AVideo, an open-source video platform. The flaw stems from an incomplete fix for the test.php component in versions up to and including 29.0. While escapeshellarg was added for wget calls, the file_get_contents and curl code paths remain unsanitized. This oversight, combined with a permissive URL validation regex /^http/ that accepts strings like httpevil[.]com, creates a clear path for exploitation.

This isn’t just a coding error; it’s a strategic miss. Attackers can bypass the intended sanitization by simply choosing a different execution path. The CWE-78: Improper Neutralization of Special Elements used in an OS Command classification confirms this is a command injection vector. The ease of exploitation (AV:N, AC:L, PR:N, UI:N) means unauthenticated attackers can trigger this remotely, leading to high confidentiality and low integrity impacts.

For defenders, this means any publicly exposed AVideo instance running an unpatched version is a sitting duck. The incomplete patch demonstrates a common pitfall: addressing a symptom without fully understanding the root cause across all relevant code paths. The fix is in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536, so patching is straightforward, but the strategic lesson is about comprehensive security architecture.