{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-12T04:13:29.652","vulnerabilities":[{"cve":{"id":"CVE-2026-33319","sourceIdentifier":"security-advisories@github.com","published":"2026-03-22T17:17:09.573","lastModified":"2026-03-24T19:07:50.050","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el método 'uploadVideoToLinkedIn()' en el plugin SocialMediaPublisher construye un comando de shell interpolando directamente una URL de carga recibida de la respuesta de la API de LinkedIn, sin sanitización a través de 'escapeshellarg()'. Si un atacante puede influir en la respuesta de la API de LinkedIn (a través de MitM, un token OAuth comprometido o un compromiso de la API), puede inyectar comandos arbitrarios del sistema operativo que se ejecutan como el usuario del servidor web. La versión 26.0 contiene una solución para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":0.7,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndExcluding":"26.0","matchCriteriaId":"B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/67d932eb05e1bc9b36796f73ff4f9fb47590598b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}