AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-xw67-cg5f-4m2r: AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

highvulnerability

security

Source: GitHub Advisory DatabaseMay 15, 2026CVE-2026-45578

Summary

AVideo has a command injection vulnerability in `plugin/Live/on_publish.php` where user-controlled stream keys are inserted into a shell command using literal single quotes instead of proper escaping. An attacker can break out of the quotes by including a single quote character in the stream key, allowing them to inject and execute arbitrary shell commands on the server.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

May 15, 2026

Classification

Attack SophisticationModerate

Affected Packages

WWBN/AVideo@<= 29.0

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-xw67-cg5f-4m2r

First tracked: May 15, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%