Unauthenticated RCE chain in WWBN AVideo CloneSite plugin
CVE-2026-33478 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The issue is a chained exploitation path in the CloneSite plugin. First, the clones.json.php endpoint exposes clone secret keys without authentication. Those keys can then be used with cloneServer.json.php to trigger a full database dump. The dump includes administrator password hashes stored as MD5, which are described as trivially crackable, enabling an attacker to recover admin credentials. After obtaining administrative access, the attacker can exploit an OS command injection flaw in cloneClient.json.php, specifically in the construction of an rsync command, to execute arbitrary system commands on the server. The supporting content also maps the issue to improper access control in addition to OS command injection.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
clones.json.php, cloneServer.json.php, and cloneClient.json.php. Limit access to trusted administrators only, place the application behind network access controls where feasible, and monitor for requests to these endpoints and for unexpected rsync or shell execution activity. Treat existing administrator credentials as potentially compromised due to MD5 hash exposure and rotate them. Review the host for indicators of command execution and unauthorized database export.Remediation
Patch, then assume compromise.
c85d076375fab095a14170df7ddb27058134d38c as containing the patch. Remediation should include correcting the unauthenticated exposure of clone secret keys in clones.json.php, preventing unauthorized database dump access via cloneServer.json.php, and fixing the OS command injection in cloneClient.json.php by eliminating unsafe shell command construction for rsync. Because administrator password hashes may have been exposed, rotate all administrator credentials and any other secrets stored in or derived from the dumped database.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unknown
An unauthenticated remote code execution vulnerability chain in WWBN AVideo CloneSite plugin affecting versions up to and including 26.0, involving exposed clone secret keys, database dump access, weak MD5 password hashes, and OS command injection.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.