Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-63305

HIGH NVD
CVSS Score 8.1
Severity HIGH
Published Jul 16, 2026
Vendor unknown

Description

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into these fields to execute OS commands as the web-server user.

References