High severity8.8GHSA Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-45578
CVE-2026-45578
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WWBN/AVideoPackagist | <= 29.0 | — |
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/WWBN/AVideo/security/advisories/GHSA-xw67-cg5f-4m2rnvdVendor AdvisoryMitigationWEB
- github.com/advisories/GHSA-xw67-cg5f-4m2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45578ghsaADVISORY
News mentions
1- WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCEVypr Intelligence · May 29, 2026