AVideo: AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection

Critical Zero-Click Vulnerability in AVideo Platform Exposes Servers to Full Takeover

A severe security flaw in the AVideo media streaming platform, tracked as CVE-2026-29058, has been disclosed, enabling unauthenticated attackers to execute arbitrary commands and seize control of vulnerable servers. With a critical severity score of 9.8/10, the vulnerability requires no user interaction or privileges, making it particularly dangerous.

The flaw stems from improper input handling in AVideo version 6.0, specifically in the objects/getImage.php and objects/security.php components. Attackers can exploit the base64Url parameter by injecting malicious shell commands, which are then executed via ffmpeg without proper sanitization. The platform’s use of shell_exec and nohup further amplifies the risk, allowing deep system-level compromise.

Successful exploitation could lead to full server takeover, data theft, and service disruptions in video streaming environments. The vulnerability was first reported by DanielnetoDotCom and credited to security researcher arkmarta, classified under CWE-78 (improper neutralization of special elements).

Mitigation measures include:

Upgrading to AVideo version 7.0 or later, which implements escapeshellarg() and removes unsafe command execution practices.
Restricting access to the vulnerable getImage.php endpoint via IP whitelisting, authentication, or disabling it entirely.
Deploying Web Application Firewall (WAF) rules to block malicious traffic targeting the flaw.

Organizations running affected versions are urged to apply patches immediately to prevent exploitation.

Source: https://gbhackers.com/avideo-platform-vulnerability/

WWBN, Ltd. cybersecurity rating report: https://www.rankiteo.com/company/wwbn

"id": "WWB1772807123",
"linkid": "wwbn",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Media/Streaming',
                        'name': 'AVideo',
                        'type': 'Software Platform'}],
 'attack_vector': 'Network',
 'data_breach': {'data_exfiltration': 'Potential data theft'},
 'description': 'A severe security flaw in the AVideo media streaming '
                'platform, tracked as CVE-2026-29058, has been disclosed, '
                'enabling unauthenticated attackers to execute arbitrary '
                'commands and seize control of vulnerable servers. The flaw '
                'stems from improper input handling in AVideo version 6.0, '
                'specifically in the `objects/getImage.php` and '
                '`objects/security.php` components. Attackers can exploit the '
                '`base64Url` parameter by injecting malicious shell commands, '
                'which are then executed via ffmpeg without proper '
                'sanitization. The platform’s use of `shell_exec` and `nohup` '
                'further amplifies the risk, allowing deep system-level '
                'compromise.',
 'impact': {'data_compromised': 'Potential data theft',
            'downtime': 'Potential service disruptions',
            'operational_impact': 'Full server takeover',
            'systems_affected': 'AVideo servers running version 6.0'},
 'post_incident_analysis': {'corrective_actions': 'Implementation of '
                                                  '`escapeshellarg()` and '
                                                  'removal of unsafe command '
                                                  'execution practices in '
                                                  'version 7.0.',
                            'root_causes': 'Improper input handling in '
                                           '`objects/getImage.php` and '
                                           '`objects/security.php` components, '
                                           'leading to command injection via '
                                           '`base64Url` parameter. Use of '
                                           'unsafe functions (`shell_exec`, '
                                           '`nohup`) without proper '
                                           'sanitization.'},
 'recommendations': 'Organizations running affected versions are urged to '
                    'apply patches immediately to prevent exploitation.',
 'references': [{'source': 'Security Researcher (DanielnetoDotCom, arkmarta)'}],
 'response': {'containment_measures': ['Upgrading to AVideo version 7.0 or '
                                       'later',
                                       'Restricting access to the vulnerable '
                                       '`getImage.php` endpoint via IP '
                                       'whitelisting, authentication, or '
                                       'disabling it entirely',
                                       'Deploying Web Application Firewall '
                                       '(WAF) rules to block malicious '
                                       'traffic'],
              'remediation_measures': 'Implemented `escapeshellarg()` and '
                                      'removed unsafe command execution '
                                      'practices in version 7.0'},
 'title': 'Critical Zero-Click Vulnerability in AVideo Platform Exposes '
          'Servers to Full Takeover',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-29058 (CWE-78: Improper Neutralization '
                            'of Special Elements)'}

AVideo: AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection

WhatsApp and General Dutch Intelligence Agency: Russia-backed hackers breach Signal, WhatsApp

Women’s Tennis Association: Udvardy: Family Threatened, Possible Breach of WTA Data Base – Tennis Now

Halifax Water: Halifax Water warns customers of privacy breach