Critical severity9.3NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-41064
CVE-2026-41064
Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the file_get_contents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil[.]com. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 29.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3nvdPatchWEB
- github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mcnvdExploitMitigationVendor AdvisoryWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7jnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-pq8p-wc4f-vg7jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33502ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41064ghsaADVISORY
News mentions
0No linked articles in our index yet.