CVE-2026-29058 | THREATINT

Description

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-06 | Updated 2026-03-06 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 7.0

affected

References

github.com/...ncoder/security/advisories/GHSA-9j26-99jh-v26q

cve.org (CVE-2026-29058)

nvd.nist.gov (CVE-2026-29058)

Download JSON