Critical Zero-Click Flaw in AVideo Platform Enables Complete Server Takeover

Critical zero-click flaw CVE-2026-29058 in AVideo 6.0 lets attackers execute commands. Upgrade to 7.0 to secure your platform.

By Content Team

Mar 8, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Security researcher Arkmarta discovered a critical zero-click vulnerability (CVE-2026-29058) in AVideo, a popular open-source video streaming platform. The flaw affects version 6.0 and allows attackers to execute arbitrary commands without authentication through the objects/getImage.php component.

The vulnerability occurs when AVideo processes base64Url parameters in network requests. While the platform attempts basic URL validation, it fails to neutralize dangerous shell characters before executing ffmpeg commands. This oversight lets attackers inject malicious code, steal credentials, and hijack live streams.

Administrators should immediately upgrade to version 7.0, which fixes the issue with proper shell argument escaping. Those unable to upgrade can restrict access to the vulnerable endpoint or deploy WAF rules blocking suspicious Base64 patterns.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Cybercriminals Selling 139GB of Stolen US Utility Engineering Data for $585K

Jan 8, 2026

87,000+ MongoDB Databases Exposed to Critical MongoBleed Vulnerability

Dec 28, 2025

Instagram Denies Data Breach After Mass Password Reset Emails Spark User Confusion

Jan 13, 2026

European Commission Hit by Major Data Breach Through Supply Chain Attack

Apr 5, 2026