Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 16 Jul 2026 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into these fields to execute OS commands as the web-server user. | |
| Title | AVideo through 29.0 OS Command Injection via ffmpeg.json.php | |
| First Time appeared |
Wwbn
Wwbn avideo |
|
| Weaknesses | CWE-78 | |
| CPEs | cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Wwbn
Wwbn avideo |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-16T12:19:16.734Z
Reserved: 2026-07-16T12:13:18.732Z
Link: CVE-2026-63305
No data.
No data.
No data.
OpenCVE Enrichment
No data.