CVE-2026-29058 – AVideo Platform File Upload Remote Code Execution
“A media upload should store a video—not give an attacker a shell.”
AVideo patched a critical vulnerability that allows attackers to upload malicious files and execute code on the server. The issue stems from improper validation of uploaded media files. An attacker can bypass file restrictions and upload a crafted file that the server processes as executable code. Once executed, the attacker can gain control of the affected server environment.
CVE-2026-29058 has a CVSS score of 9.8, which is Critical severity. Because the vulnerability can be triggered remotely and does not require authentication in certain configurations, exposed AVideo platforms could be fully compromised through a malicious upload.
The patch strengthens file upload validation and execution handling to prevent malicious files from being processed as executable content.
Key Details
- Affected Product
- Wwbn Avideo-encoder
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-78