Critical AVideo flaw lets attackers run commands remotely and potentially hijack streams

A critical vulnerability in the open-source AVideo platform could let unauthenticated attackers execute arbitrary operating system commands on a server through a crafted request. The issue is tracked as CVE-2026-29058, carries a CVSS 3.1 score of 9.8, affects AVideo versions before 7.0, and is patched in version 7.0.

The bug sits in objects/getImage.php and involves the base64Url parameter. According to the GitHub advisory and NVD entry, attackers can inject shell command substitution into that parameter and trigger command execution on the server. The impact can include full server compromise, theft of configuration secrets or credentials, and service disruption.

That makes this more than a routine web bug. AVideo runs video hosting and streaming infrastructure, so a server-side command injection flaw can expose the entire platform behind it, including media workflows and service availability. Claims about full “stream hijacking” are a reasonable risk inference from server compromise and service disruption, but the official advisory does not describe a separate confirmed stream-hijack exploit path.

What happened

The official advisory says the vulnerability allows unauthenticated OS command injection through the base64Url GET parameter in objects/getImage.php. The root issue is improper handling of untrusted input before it reaches a shell command. GitHub’s advisory specifically says an attacker can inject shell command substitution into the parameter and execute arbitrary commands on the server.

NVD mirrors that description and confirms the affected range as versions prior to 7.0. It also classifies the flaw under CWE-78, which covers improper neutralization of special elements used in an OS command. The CVSS vector shows network attackability, low attack complexity, no required privileges, and no user interaction.

Why this bug is serious

A 9.8 score puts this issue in the critical tier. In practical terms, an internet-exposed AVideo instance running a vulnerable version could face direct remote compromise without an authenticated session. Once command execution is available, attackers may steal secrets, tamper with media workflows, disrupt live services, or pivot deeper into the environment.

This also matters because AVideo is not a desktop tool with a tiny footprint. It is a server-side platform, so a single vulnerable internet-facing deployment can expose an organization’s streaming backend and whatever credentials or internal connections sit behind it. That broader operational risk follows directly from the official impact statement about full server compromise and data exfiltration.

Key details

What admins should do now

The main fix is straightforward. Upgrade AVideo to version 7.0 or later. Both the GitHub advisory and NVD say the vulnerability is patched in 7.0.

If an immediate upgrade is not possible, the advisory-backed temporary steps are to restrict access to objects/getImage.php, place controls at the reverse proxy or web server layer, and use WAF rules or similar filtering to reduce exposure until patching is complete. Secondary advisory mirrors also describe limiting access or disabling the endpoint if it is not needed.

Security teams should also review logs for suspicious requests involving base64Url, inspect recent command execution and ffmpeg-related activity on exposed hosts, and rotate secrets if they suspect compromise. That last step is an operational inference based on the official warning that configuration secrets and credentials may be exposed.

FAQ