CVE-2026-29058

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29058

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29058.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29058

Aliases

GHSA-9j26-99jh-v26q

Published

2026-03-06T07:08:26.844Z

Modified

2026-03-14T02:00:19.428351Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php

Details

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29058.json",
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/wwbn/avideo-encoder

Affected ranges

Type: GIT
Repo: https://github.com/wwbn/avideo-encoder
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5e594d1ce71aa8c1ed711e2d496ea5325a502d21

Affected versions

1.*

1.0

3.*

3.0

3.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29058.json"