Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-33478 represents a critical Remote Code Execution (RCE) vulnerability discovered in the AVideo CloneSite plugin. This vulnerability allows an unauthenticated attacker to gain complete control over a system by chaining together multiple exploits, including secret key exposure, database dumps containing MD5-hashed admin passwords, and ultimately, OS command injection. The vulnerability impacts versions of the plugin up to and including 26.0, and a fix is pending release.
The impact of CVE-2026-33478 is severe. An attacker can initially exploit the clones.json.php endpoint to obtain clone secret keys without authentication. These keys can then be used to trigger a full database dump via cloneServer.json.php. The database dump reveals admin password hashes, which are easily crackable due to their MD5 encoding. Once the attacker compromises an admin account, they can leverage an OS command injection vulnerability within the cloneClient.json.php file's rsync command construction to execute arbitrary system commands. This grants the attacker complete control over the affected server, potentially leading to data breaches, system compromise, and further lateral movement within the network. The ease of exploitation, combined with the lack of authentication required for the initial steps, significantly increases the risk.
CVE-2026-33478 was publicly disclosed on 2026-03-20. The vulnerability's ease of exploitation and the potential for complete system compromise suggest a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Organizations utilizing AVideo CloneSite plugin versions 26.0 and earlier are at significant risk. This includes businesses using AVideo for video cloning and management, particularly those with publicly accessible instances of the plugin. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromise of one user's instance could potentially lead to the compromise of others.
• php: Examine web server access logs for requests to /clones.json.php and /cloneServer.json.php without authentication.
• php: Search plugin files for the rsync command and any user-controlled input used in its construction. Look for instances where user input is directly incorporated into the command without proper sanitization.
• linux / server: Monitor system logs (e.g., /var/log/syslog, /var/log/auth.log) for unusual processes or commands being executed, particularly those related to rsync.
• generic web: Use curl to test the /clones.json.php endpoint without authentication. A successful response indicates the vulnerability is present.
curl http://your-avideo-server/clones.json.phpdisclosure
Exploit-Status
EPSS
1.95% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33478 is to upgrade to the patched version of the AVideo CloneSite plugin as soon as it becomes available. Until the patch is released, consider temporarily disabling the clones.json.php and cloneServer.json.php endpoints to prevent initial exploitation. Implement strong password policies and consider migrating away from MD5 hashing for admin passwords. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting these endpoints. Monitor system logs for unusual activity, particularly attempts to access or modify the cloneClient.json.php file. After upgrading, confirm the vulnerability is resolved by attempting to access the clones.json.php endpoint and verifying that authentication is required.
Actualice AVideo a una versión posterior a la 26.0. La actualización corrige las vulnerabilidades que permiten la ejecución remota de código no autenticado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33478 is a critical Remote Code Execution vulnerability in the AVideo CloneSite plugin affecting versions up to 26.0. It allows unauthenticated attackers to execute arbitrary commands on the server.
If you are using AVideo CloneSite plugin versions 26.0 or earlier, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to the patched version of the AVideo CloneSite plugin. Until the patch is available, disable vulnerable endpoints and implement strong password policies.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official AVideo website and security advisories for updates and the patched version of the CloneSite plugin.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.