Critical Zero-Click Command Injection in AVideo Platform Allows Stream Hijacking
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical vulnerability in AVideo, a widely used open-source video hosting and streaming platform.<\/a> Tracked as CVE-2026-29058, this zero-click flaw<\/a> carries a maximum severity rating, allowing unauthenticated attackers to execute arbitrary operating system commands on the targeted server.<\/p>\n Discovered by security researcher Arkmarta, the vulnerability specifically affects AVideo version 6.0. It has been officially patched in version 7.0 and later releases.<\/p>\n Classified under CWE-78 for the improper neutralization of special elements in an OS command<\/a>, this network-based attack requires no system privileges or user interaction.<\/p>\n If successfully exploited, attackers could achieve full server compromise, steal sensitive configuration secrets, and completely hijack live video streams.<\/a><\/p>\n The root cause of this severe vulnerability lies within the\u00a0objects\/getImage.php\u00a0component of the AVideo platform.<\/p>\n The issue occurs when the application processes network requests that contain a\u00a0base64Url\u00a0parameter.<\/p>\n The platform Base64-decodes this user-supplied input<\/a> and interpolates it directly into a double-quoted\u00a0ffmpeg\u00a0shell command.<\/p>\n While the software attempts to validate the input using standard URL filters, this function only checks for basic URL syntax.<\/p>\n It entirely fails to neutralize dangerous shell metacharacters or command substitution<\/a> sequences.<\/p>\n Because the application does not properly escape this untrusted data before executing the command, remote attackers can easily append malicious instructions.<\/p>\n This allows unauthorized users to run arbitrary code<\/a>, exfiltrate internal credentials, or intentionally disrupt the server\u2019s streaming capabilities.<\/p>\n According to the advisory on GitHub<\/a>, administrators running AVideo-Encoder version 6.0 should upgrade to version 7.0 or later to secure their environments.<\/p>\n The official patched release resolves the issue by applying strict shell argument escaping, utilizing functions like\u00a0escapeshellarg().<\/p>\n This crucial fix ensures that all user-supplied input is properly sanitized before it ever interacts with the underlying command line, effectively preventing attackers from breaking out of the intended command structure.<\/p>\n If an immediate software upgrade is not feasible, security teams must deploy temporary workarounds to protect their streaming infrastructure.<\/p>\n Administrators should strongly restrict access to the vulnerable\u00a0objects\/getImage.php\u00a0endpoint at the web server or reverse proxy layer using strict IP allowlisting.<\/a><\/p>\n Additionally, organizations should apply Web Application Firewall (WAF) rules<\/a> designed to inspect and actively block suspicious Base64-encoded shell command patterns.<\/p>\n As a final protective measure, administrators can turn off the image retrieval component entirely if it is not required for the platform\u2019s daily operations.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Zero-Click Command Injection in AVideo Platform Allows Stream Hijacking<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAVideo Platform Vulnerability<\/strong><\/h2>\n