How is CVE-2026-45578 exploited?

Network reachability (required): The attacker must reach the AVideo on_publish endpoint over the network (AV:N). Authentication (required): PR:L means any low-privilege AVideo account is sufficient to trigger the vulnerable code path. Victim interaction (not-required): UI:N: no admin or user has to click or open anything for the injection to fire. Attack complexity (info): AC:L: the exploit is reliable, requiring only a single quote in one of three interpolated values to break out of the shell-quoted token.

What is the impact of CVE-2026-45578?

Executes arbitrary shell commands as the AVideo web server user, giving full code execution inside the container. Reads any file the web process can access, including AVideo configuration, database credentials, and stored session material. Modifies or deletes video content, user records, and database rows reachable from the AVideo backend. Can crash or wedge the Live streaming service and pivot to other services reachable from the container's network namespace.

Back to search

HIGHCVE-2026-45578Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45578: WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an OS command injection in WWBN AVideo's Live plugin (plugin/Live/on_publish.php), where execAsync() builds a shell command by string-concatenating user-controlled values and single-quoting them without calling escapeshellarg(). An attacker who can authenticate with any low-privilege account on a reachable AVideo instance can inject a single quote into $users_id, $m3u8, or $liveTransmitionHistory_id and append arbitrary shell commands that run as the web server user. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against AVideo images in customer registries and CI pipelines, including custom-built derivatives that repackage AVideo 29.0 or earlier.

Available

Triage

Triage is available with the published CVSS 3.1 score of 8.8 (high) weighted against each customer's compliance policy, so internet-exposed AVideo workloads are escalated more aggressively than isolated staging instances and findings route to the right inbox inside each customer org.

Available

Patch

No upstream fix version exists yet. HarborGuard re-checks the WWBN advisory on each ingest cycle and will make a patched-image rebuild available the moment the maintainers publish a fixed release; auto-remediation customers will then get the rebuild, a regression test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the AVideo on_publish endpoint over the network (AV:N).
AuthenticationRequired
PR:L means any low-privilege AVideo account is sufficient to trigger the vulnerable code path.
Victim interactionNot required
UI:N: no admin or user has to click or open anything for the injection to fire.
Attack complexityDetail
AC:L: the exploit is reliable, requiring only a single quote in one of three interpolated values to break out of the shell-quoted token.

Blast Radius

Executes arbitrary shell commands as the AVideo web server user, giving full code execution inside the container.
Reads any file the web process can access, including AVideo configuration, database credentials, and stored session material.
Modifies or deletes video content, user records, and database rows reachable from the AVideo backend.
Can crash or wedge the Live streaming service and pivot to other services reachable from the container's network namespace.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the WWBN advisory for AVideo 29.0 and earlier, with the CVE already matched against AVideo images in customer registries and pipelines. Until an upstream fix ships, suggested compensating controls include restricting the on_publish endpoint to trusted RTMP ingest sources via network policy, tightening egress filtering on the AVideo container to limit post-exploitation reach, and requiring stronger authentication on any account that can publish a stream. The moment WWBN publishes a fixed release, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled get the rebuild, regression run, and a PR opened against affected workloads without further action.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

WWBN / AVideo
<= 29.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-xw67-cg5f-4m2r