External risk intelligence

AVideo OS Command Injection via listFFmpegProcesses.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-63304

AVideo is a web-based video sharing and streaming platform designed to be hosted as a public-facing web application. The vulnerability resides within an API endpoint used by the application, which is typically accessible over the network to facilitate its primary function of serving and managing video content.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in AVideo that could allow unauthorized execution of commands on the server. This occurs due to improper handling of certain parameters within a function that processes FFmpeg processes. While this vulnerability is considered critical, its direct impact on our environment requires confirmation of the specific technology's presence and usage.

  • Unsanitized input allows server command execution.
  • Critical severity, external exposure potential.
  • Confirm relevance and exposure within our environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted payload to the AVideo API, targeting the `listFFmpegProcesses` function within `plugin/API/standAlone/functions.php`. This function processes unsanitized input, allowing an attacker to break out of a quoted context and inject operating system commands. If successful, arbitrary commands can be executed with the privileges of the web server.

  • No specific access required.
  • Unsanitized API keyword parameters.
  • Arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary operating system commands as the web server user when supported by the advisory's conditions. This could impact the integrity and availability of the web server and potentially affect data processed by the application.

  • Server OS commands could be executed.
  • Unsanitized keyword parameters may be exploited.
  • Unauthorized commands could be run.

Operational Fix

Recommended remediation, mitigation, and detection steps

The likely owners for this critical vulnerability are application owners responsible for AVideo, working in conjunction with infrastructure or platform teams to manage the web server environment. The first practical step is to inventory AVideo instances, confirm their network exposure and business criticality, and identify the accountable owner for each instance to prioritize remediation efforts.

  • Application owners must confirm AVideo instance exposure.
  • Verify all active AVideo installations and their reachability.
  • Plan remediation with relevant infrastructure teams.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is AVideo?

AVideo is an open-source platform used for hosting, managing, and streaming video content. It functions as a web-based application, often deployed by organizations to serve media to users over a network. Because it handles video processing, it relies on external tools like FFmpeg to manage media tasks behind the scenes.

How does CVE-2026-63304 work?

This vulnerability is an OS command injection, categorized as CWE-78. It happens because a specific function fails to properly clean user-provided input before using it to run system-level processes. By injecting special characters, an attacker can escape the intended function boundaries and force the server to execute unauthorized system commands instead of just legitimate video processing tasks.

Do I need to be authenticated to trigger this?

No, the vulnerability does not require prior authentication or specialized user access. However, simply sending any input is not enough; the attacker must successfully craft a valid, encrypted codeToExec payload to bypass the application's logic. If the input is not correctly encrypted to match what the function expects, the command injection will not be triggered.

Is my AVideo instance at risk?

According to Halo Surface Signal, AVideo is typically hosted as a public-facing web application to facilitate streaming. Because the vulnerable API endpoint is network-accessible, any instance exposed to the internet is highly relevant. You should prioritize checking any AVideo installations that are reachable from outside your private network.

What should I do to address this?

Start by performing an inventory to locate all active AVideo instances across your environment. Once identified, confirm the network exposure of each instance and coordinate with the responsible application owners. Work with your infrastructure teams to assess these assets and prioritize them for remediation based on their business criticality and current accessibility.

References