Stream Hijacked: Critical Zero-Click Command Injection Flaw Exposed in AVideo-Encoder
Ddos 
Security researchers have uncovered a critical vulnerability in AVideo-Encoder, a key component of the open-source AVideo Platform (formerly YouPHPTube). The flaw, tracked as CVE-2026-29058, carries a CVSS score of 9.8 and allows unauthenticated remote attackers to execute arbitrary operating system commands on the server.
AVideo is a popular choice for organizations needing to host and stream private video content within their internal networks. Its encoder component is responsible for converting raw video data into web-compatible formats for seamless streaming.
The vulnerability resides in the base64Url GET parameter within the objects/getImage.php file. The root cause is a classic failure to separate user input from system-level commands.
The application takes the base64Url parameter, decodes it, and then directly inserts that data into a double-quoted ffmpeg shell command.
While the system performs basic URL validation, it fails to use proper shell escaping (like escapeshellarg()). This allows an attacker to inject shell command substitution sequences—such as backticks or $(…)—into the base64 string.
When the server processes the “image request,” it inadvertently executes the attacker’s hidden code with the same privileges as the web server.
Because this attack requires zero authentication, any actor with network access to the AVideo-Encoder instance can exploit it. The consequences of a successful breach are severe:
- Full System Compromise: Attackers can gain complete control over the host server.
- Data Exfiltration: Sensitive information, including database credentials, internal configuration secrets, and private encryption keys, can be stolen.
- Service Disruption: The entire video platform can be taken offline or its content manipulated.
The AVideo development team has addressed the vulnerability in recent patches. Administrators are urged to take the following actions immediately:
- Apply Official Patches: Upgrade your AVideo-Encoder installation to the latest version. The fix involves applying strict shell argument escaping to all user-supplied values before they reach the shell.
- Restrict Access: If an immediate patch is not possible, restrict access to the
objects/getImage.phpendpoint via IP allowlisting or a web application firewall (WAF). - Disable Vulnerable Endpoints: If the
getImage.phpfunctionality is not strictly required for your operations, consider disabling it entirely at the web server layer to close the attack vector.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
