CVE-2026-8753

Vulnerability

Description A command injection vulnerability exists in kalcaddle Kodbox versions up to 1.64, specifically within the fileThumb plugin. The flaw resides in the parseVideoInfo function inside /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php. The ffmpegBin configuration parameter, which is used to specify the FFmpeg binary path, is directly concatenated into a shell command without proper sanitization, allowing an attacker to inject arbitrary operating system commands [1].

Exploitation

Prerequisites Exploitation requires an authenticated user who has the necessary rights to modify plugin configurations and access video preview features. The attack vector is remote and involves crafting a malicious ffmpegBin value through the plugin configuration endpoint (GET /?admin/plugin/setConfig&app=fileThumb&value=<JSON>&accessToken=<token>). When the modified configuration is subsequently used in the video preview pipeline (GET /?plugin/fileThumb/videoPreview&path=<upath>&accessToken=<token>), the injected command is executed via shell_exec() in parseVideoInfo() [1].

Impact

An authenticated attacker can execute arbitrary commands on the underlying server with the privileges of the web server process. This can lead to full compromise of the Kodbox installation, including data exfiltration, further lateral movement, and potential denial of service. The CVSS v3 score is 6.3 (Medium), though the reference assigns a higher severity of High (CVSS 8.1) due to the post-authentication requirement and potential for complete system compromise [1].

Mitigation

Status The vendor was contacted but did not respond; no official patch has been released as of the publication date (2026-05-17). A public proof-of-concept exploit is available. Users should upgrade to a patched version if released, or restrict access to the fileThumb plugin's configuration and preview endpoints to trusted administrators only. Consider disabling the plugin if not essential.