CVE-2026-41304Wwbn · Avideo
Vulnerability data via NVD (ingested)
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-41304product:"Wwbn Avideo"http.html:"Avideo"More intel sources (5)
vuln:CVE-2026-41304vulnerabilities.cve_id: CVE-2026-41304CVE-2026-41304CVE-2026-41304"CVE-2026-41304" exploit -site:nvd.nist.gov