{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29058", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.244Z", "datePublished": "2026-03-06T07:08:26.844Z", "dateUpdated": "2026-03-09T20:01:00.580Z"}, "containers": {"cna": {"title": "AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q"}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"version": "< 7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:08:26.844Z"}, "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."}], "source": {"advisory": "GHSA-9j26-99jh-v26q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T20:00:48.141570Z", "id": "CVE-2026-29058", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:01:00.580Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:00:48.141570Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:00:56.305Z"}}], "cna": {"title": "AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php", "source": {"advisory": "GHSA-9j26-99jh-v26q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"status": "affected", "version": "< 7.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q", "name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:08:26.844Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29058", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:01:00.580Z", "dateReserved": "2026-03-03T17:50:11.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T07:08:26.844Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3524E39-DF7C-4A58-9A7C-E7932948818C", "versionEndExcluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0."}, {"lang": "es", "value": "AVideo es un software de plataforma para compartir videos. Antes de la versi\u00f3n 7.0, un atacante no autenticado puede ejecutar comandos arbitrarios del sistema operativo en el servidor inyectando sustituci\u00f3n de comandos de shell en el par\u00e1metro GET base64Url. Esto puede llevar a un compromiso total del servidor, exfiltraci\u00f3n de datos (por ejemplo, secretos de configuraci\u00f3n, claves internas, credenciales) e interrupci\u00f3n del servicio. Este problema ha sido parcheado en la versi\u00f3n 7.0."}], "id": "CVE-2026-29058", "lastModified": "2026-03-10T19:14:24.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-06T07:16:02.267", "references": [{"source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-9j26-99jh-v26q"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AVideo-Encoder", "source": "cna", "vendor": "WWBN"}, "product": "avideo-encoder", "vendor": "wwbn"}], "created": "2026-03-06T14:55:29.060221+00:00", "updated": "2026-03-06T14:55:29.060314+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo-encoder"]}