CVE-2026-63305
HIGH
NVD
CVSS Score
8.1
Severity
HIGH
Published
Jul 16, 2026
Vendor
unknown
Description
AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into these fields to execute OS commands as the web-server user.