Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33478 represents a critical Remote Code Execution (RCE) vulnerability discovered in the AVideo CloneSite plugin. This vulnerability allows an unauthenticated attacker to gain complete control over a system by chaining together multiple exploits, including secret key exposure, database dumps containing MD5-hashed admin passwords, and ultimately, OS command injection. The vulnerability impacts versions of the plugin up to and including 26.0, and a fix is pending release.
The impact of CVE-2026-33478 is severe. An attacker can initially exploit the clones.json.php endpoint to obtain clone secret keys without authentication. These keys can then be used to trigger a full database dump via cloneServer.json.php. The database dump reveals admin password hashes, which are easily crackable due to their MD5 encoding. Once the attacker compromises an admin account, they can leverage an OS command injection vulnerability within the cloneClient.json.php file's rsync command construction to execute arbitrary system commands. This grants the attacker complete control over the affected server, potentially leading to data breaches, system compromise, and further lateral movement within the network. The ease of exploitation, combined with the lack of authentication required for the initial steps, significantly increases the risk.
CVE-2026-33478 was publicly disclosed on 2026-03-20. The vulnerability's ease of exploitation and the potential for complete system compromise suggest a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
1.95% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33478 is to upgrade to the patched version of the AVideo CloneSite plugin as soon as it becomes available. Until the patch is released, consider temporarily disabling the clones.json.php and cloneServer.json.php endpoints to prevent initial exploitation. Implement strong password policies and consider migrating away from MD5 hashing for admin passwords. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting these endpoints. Monitor system logs for unusual activity, particularly attempts to access or modify the cloneClient.json.php file. After upgrading, confirm the vulnerability is resolved by attempting to access the clones.json.php endpoint and verifying that authentication is required.
Update AVideo to a version later than 26.0. The update fixes the vulnerabilities that allow unauthenticated remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33478 is a critical Remote Code Execution vulnerability in the AVideo CloneSite plugin affecting versions up to 26.0. It allows unauthenticated attackers to execute arbitrary commands on the server.
If you are using AVideo CloneSite plugin versions 26.0 or earlier, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to the patched version of the AVideo CloneSite plugin. Until the patch is available, disable vulnerable endpoints and implement strong password policies.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official AVideo website and security advisories for updates and the patched version of the CloneSite plugin.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.