CVE-2026-55173

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.1 / 10

Vulnerability Description

AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink

Vulnerability Details

Published Date

June 23, 2026

Last Modified

June 23, 2026

Source

GitHub

Vendor

composer

Product

wwbn/avideo

External References

https://github.com/WWBN/AVideo/security/advisories/GHSA-wc3f-xc32-435f
https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f
https://github.com/advisories/GHSA-wc3f-xc32-435f

CVE-2026-55173

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment