Critical Zero-Click Command Injection in AVideo Platform Allows Stream Hijacking
Take action: If you are using AVideo platform this is urgent and important. Patch ASAP to version 7.0, because your server will be attacked. Until you update today, use a web application firewall or reverse proxy to block access to the getImage.php component.
Learn More
AVideo, a popular open-source video hosting and streaming platform, is reported to have a critical security threat that allows unauthenticated attackers to take full control of servers.
The flaw is tracked as CVE-2026-29058 (CVSS score 10.0) - an OS command injection vulnerability that occurs when the platform processes the base64Url parameter in the objects/getImage.php component. The application decodes this user-supplied input and interpolates it directly into a double-quoted ffmpeg shell command. Because the software only uses basic URL syntax filters, it fails to neutralize shell metacharacters or command substitution sequences, allowing attackers to run arbitrary code with web server privileges.
Successful exploitation of this flaw leads to complete server compromise and the potential exfiltration of sensitive configuration secrets, internal keys, and credentials. Attackers can also hijack live video streams, modify existing content, or disrupt the platform's availability entirely.
The vulnerability specifically affects AVideo version 6.0 and the associated AVideo-Encoder component. Administrators should audit their installations to confirm if they are running the vulnerable version.
Organizations must upgrade to AVideo version 7.0 or later. The patched version implements strict shell argument escaping using functions like escapeshellarg() to ensure untrusted data cannot break out of the command structure. If an immediate upgrade is not possible, administrators should restrict access to the objects/getImage.php endpoint using IP allowlisting or deploy Web Application Firewall (WAF) rules to block suspicious Base64-encoded command patterns.
