A highly critical security flaw has been disclosed in the AVideo platform, leaving media servers exposed to complete system takeover.
Tracked as CVE-2026-29058, this zero-click, unauthenticated operating system command injection vulnerability allows hackers to hijack streams and remotely execute malicious shell commands.
The flaw carries a maximum critical severity score of 9.8 out of 10. It requires no user interaction and no special privileges to exploit.
If successfully exploited, attackers can achieve full server compromise, steal sensitive internal data, and cause severe service disruptions across video streaming environments.
Initially published by DanielnetoDotCom and credited to security analyst arkmarta, this weakness is classified under CWE-78 for improper neutralization of special elements.
Technical Details and Root Cause
The vulnerability is rooted in specific application files, namely the objects/getImage.php and objects/security.php components of the AVideo platform.
Currently, version 6.0 is confirmed to be vulnerable to this exploit. The core issue revolves around the dangerous handling of the base64Url web parameter.
When input is provided to this specific parameter, the system decodes the data and directly inserts it into a double-quoted ffmpeg shell command.
Crucially, this execution happens without any proper security checks or shell escaping mechanisms to clean the input.
Although the application tries to validate the input using a standard URL filter, this built-in PHP function only checks for basic web address formatting.
It completely fails to block malicious command sequences that change the intended operating system action.
Because the platform uses background command execution helpers like shell_exec and nohup, an attacker can silently inject and run destructive commands at the deepest system level.
This allows remote hackers to bypass normal security controls and take control of the server processing the media files.
To permanently fix CVE-2026-29058, system administrators must urgently upgrade their AVideo installations to the fully patched version 7.0 or newer.
This updated release resolves the underlying vulnerability by implementing strict shell argument escaping, such as using the escapeshellarg() function, on all user-supplied values before building any system commands.
Furthermore, the software update removes the unsafe practice of directly inserting untrusted input into commands, choosing safer process execution methods for media handling tasks.
For organizations that cannot apply the software update immediately, deploying temporary security workarounds is strongly advised to limit risk.
Security teams should restrict access to the vulnerable objects/getImage.php file at the web server layer.
This protection can be achieved by allowing only trusted IP addresses, requiring strict administrative logins, or simply disabling the endpoint entirely if it is not actively needed.
Finally, administrators should apply strong Web Application Firewall rules to block suspicious network patterns and stop malicious traffic before it ever reaches the vulnerable streaming server.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
