CVE-2026-33319

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33319

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33319.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33319

Aliases

GHSA-w5ff-2mjc-4phc

Published

2026-03-22T16:29:08.608Z

Modified

2026-04-10T05:42:41.083412Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Details

WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn() method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg(). If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33319.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type: GIT
Repo: https://github.com/wwbn/avideo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

aee1e11ee8d9343f87b7643e49cc32924b07979b

Affected versions

10.*

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

12.*

12.4

14.*

14.3

14.3.1

18.*

18.0

2.*

2.2

2.7

21.*

21.0

22.*

22.0

24.*

24.0

25.*

25.0

3.*

3.4

4.*

4.0

7.*

7.2

7.3

7.4

7.6

7.7

7.8

8.*

8.1

8.5

8.6

8.7

8.9

8.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33319.json"