External risk intelligence

AVideo OS Command Injection via ffmpeg.json.php

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-63305

AVideo is a video hosting and streaming platform commonly deployed as a public-facing web application. The vulnerable endpoint is part of the application's core functionality, making it accessible to users or attackers interacting with the web service over the internet.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in AVideo, a video hosting platform, that could allow attackers to execute commands on the web server. This is due to a flaw in how certain parameters are handled in the ffmpeg.json.php endpoint, where unescaped input can be interpreted as operating system commands. The potential for unauthorized command execution on the server poses a significant risk to system integrity and data security.

  • Command execution flaw in video platform.
  • Critical risk to server integrity.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the `ffmpeg.json.php` endpoint, which is exposed externally. This endpoint processes `notifyCode` and `callback` parameters without proper sanitization, allowing an attacker to inject malicious shell commands. If successful, these commands would execute on the server with the privileges of the web server user, potentially leading to unauthorized system access or modification.

  • Requires an attacker to send a crafted request.
  • Triggered by injecting shell metacharacters into parameters.
  • Enables execution of arbitrary OS commands.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary operating system commands on the affected server. This is possible when the server processes specially crafted encrypted payloads through the ffmpeg.json.php endpoint, enabling the attacker to inject commands that run with the privileges of the web server user.

  • Server operating system commands could be executed.
  • Arbitrary commands via crafted encrypted payload.
  • Unauthorized server-level access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Web Application and Security teams are likely responsible for addressing this critical vulnerability in AVideo, as it involves an OS command injection flaw in a publicly accessible endpoint. The immediate first step is to identify all instances of AVideo within the environment, determine their exposure and business criticality, and confirm the accountable owner for remediation planning.

  • Identify AVideo instances and exposure.
  • Confirm accountable owner and business criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is AVideo?

AVideo is an open-source platform designed for hosting and streaming video content. It functions as a web application, allowing users to manage, encode, and distribute video files. Because it is typically deployed as a public-facing service, it acts as a central hub for video-based media delivery, often handling complex processing tasks like video transcoding through integrated tools.

What is the weakness in CVE-2026-63305?

This vulnerability is an OS command injection, classified as CWE-78. It happens when software passes user-supplied input—in this case, the 'notifyCode' and 'callback' parameters—to a system shell without properly cleaning or 'escaping' it first. This allows an attacker to 'break out' of the intended input field and insert their own operating system commands, which the server then executes as if they were legitimate instructions.

How is this command injection triggered?

An attacker triggers this by sending a specifically crafted, encrypted request to the ffmpeg.json.php endpoint. The flaw relies on the application concatenating the attacker's malicious input directly into a shell command. It is important to note that simply visiting the site or interacting with standard video player features does not trigger this; the exploit specifically requires the successful delivery of a payload formatted to bypass the application's expected input structure.

Is my server at risk if it runs AVideo?

According to Halo Surface Signal, AVideo is typically deployed as a public-facing web application, and the vulnerable ffmpeg.json.php endpoint is part of its core functionality. This makes the platform inherently accessible to external requests over the internet. If your instance is reachable from the public web, it is highly relevant, as attackers can interact with this endpoint remotely to attempt unauthorized command execution.

How should I respond to this threat?

Start by locating all AVideo instances running within your environment to understand your total footprint. Once identified, evaluate which servers are exposed to the internet and assess their business importance. Because this flaw allows for unauthorized server-level commands, prioritize these instances for updates or security hardening based on your internal risk management procedures. Avoid relying on perimeter defenses alone while planning your next steps.

References