A significant security vulnerability has been identified in AVideo, a popular open-source video hosting and streaming platform. Known as CVE-2026-29058, this zero-click command injection flaw poses a severe threat, allowing attackers to execute arbitrary system commands on targeted servers without authentication.
AVideo Platform at Risk
Security researcher Arkmarta discovered this vulnerability, which specifically impacts AVideo version 6.0. The issue has been addressed in version 7.0 and subsequent releases. Classified under CWE-78, this network-based attack requires neither system privileges nor user interaction, making it particularly dangerous.
Successful exploitation could lead to total server control, exposure of sensitive data, and complete hijacking of live video streams. The vulnerability stems from improper handling of the objects/getImage.php component within the AVideo platform.
Technical Details and Exploitation Risks
The vulnerability arises when the platform processes network requests containing a base64Url parameter. AVideo decodes this input and integrates it directly into a double-quoted ffmpeg shell command. Although the software applies basic URL syntax checks, it fails to neutralize harmful shell metacharacters or command sequences.
This oversight allows remote attackers to append malicious commands, enabling them to execute arbitrary code, steal internal credentials, or disrupt streaming operations. Administrators using AVideo-Encoder version 6.0 are urged to upgrade to version 7.0 or later to mitigate these risks.
Mitigation Strategies and Recommendations
The patched release resolves the vulnerability by implementing strict shell argument escaping via functions like escapeshellarg(). This prevents attackers from manipulating the command structure by ensuring that user inputs are sanitized before execution.
For those unable to upgrade immediately, deploying temporary measures is essential. Restricting access to the vulnerable objects/getImage.php endpoint through IP allowlisting at the web server or reverse proxy level is recommended. Additionally, applying Web Application Firewall (WAF) rules to detect and block suspicious Base64-encoded patterns can enhance protection.
If the image retrieval feature is non-essential, disabling it can further safeguard the platform. For ongoing cybersecurity updates, follow us on Google News, LinkedIn, and X, or contact us to share your stories.
