Overview
CVE-2026-33478 is a maximum-severity (CVSS 10.0) remote code execution vulnerability in WWBN AVideo, an open-source video platform. Published on March 23, 2026, the flaw resides in AVideo's CloneSite plugin and affects all versions up to and including 26.0. An entirely unauthenticated attacker can chain three weaknesses together to execute arbitrary OS commands on the server — no credentials, no prior access, and no user interaction required.
Two additional AVideo CVEs were disclosed the same day: CVE-2026-33351 (CVSS 9.1, SSRF in the Live plugin) and CVE-2026-33479 (CVSS 8.8, CSRF plus arbitrary PHP execution in the Gallery plugin). All three require AVideo 26.0 or earlier.
Technical Details
The exploit is a three-stage attack chain:
Stage 1 — Clone Secret Key Disclosure (Unauthenticated)
The clones.json.php endpoint exposes sensitive clone secret keys to any unauthenticated HTTP request. No authentication check exists on this endpoint, providing the attacker with the credential material needed for the next stage.
Stage 2 — Full Database Dump via cloneServer.json.php
Using the stolen clone keys, the attacker triggers a full database export through the cloneServer.json.php endpoint. The dumped database contains admin password hashes stored as MD5 — a cryptographically broken algorithm. These hashes are trivially crackable with modern GPU-accelerated tools or rainbow tables, yielding plaintext admin credentials.
Stage 3 — OS Command Injection via cloneClient.json.php
With admin access established, the attacker reaches an OS command injection vulnerability in the rsync command construction within cloneClient.json.php. Unsanitized user-controlled input is passed directly into a shell command, classified as CWE-78 (OS Command Injection). This grants full arbitrary command execution as the web server process.
Bonus: Authenticated Arbitrary PHP Execution
Once admin credentials are obtained, AVideo also exposes an authenticated endpoint that passes user-supplied PHP code to a dynamic code execution function — providing a second, persistent path to full server compromise.
Affected Versions
| Software | Affected Versions |
|---|---|
| WWBN AVideo | All versions up to and including 26.0 |
| AVideo CloneSite Plugin | Bundled with AVideo <= 26.0 |
| AVideo Live Plugin | Affected by related CVE-2026-33351 |
| AVideo Gallery Plugin | Affected by related CVE-2026-33479 |
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 10.0 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| CWE | CWE-78 (OS Command Injection) |
Patch & Mitigation
Patch: Commit c85d076375fab095a14170df7ddb27058134d38c in the AVideo repository contains the fix.
Immediate mitigations for unpatched instances:
- Restrict access to CloneSite, Live, and Gallery plugin endpoints at the web server or firewall level.
- Block unauthenticated access to
clones.json.php,cloneServer.json.php, andcloneClient.json.php. - Rotate all admin passwords and regenerate clone secret keys.
- Upgrade to a patched release as soon as one is available.
- Consider placing AVideo behind an authentication proxy if internet-facing deployment cannot be avoided.
Related CVEs
| CVE | CVSS | Description |
|---|---|---|
| CVE-2026-33478 | 10.0 | Unauthenticated RCE via CloneSite key disclosure + DB dump + OS command injection |
| CVE-2026-33351 | 9.1 | SSRF in AVideo Live plugin standalone configuration |
| CVE-2026-33479 | 8.8 | CSRF plus arbitrary PHP code execution in AVideo Gallery plugin |
| CVE-2026-33293 | — | Arbitrary file deletion via path traversal in CloneSite deleteDump parameter |
Recommendations
All AVideo administrators running version 26.0 or earlier should treat this as an emergency. The vulnerability requires zero authentication and has a fully public attack chain. Apply the patch immediately. If patching is not immediately possible, restrict network access to the affected plugin endpoints and consider taking the AVideo instance offline until remediation is complete.
Monitor server logs for unusual access to clones.json.php, cloneServer.json.php, or cloneClient.json.php — any access to these paths from external IPs should be treated as a potential active exploit.