Command Injection RCE in WWBN AVideo CloneSite plugin
CVE-2026-41304 affects WWBN AVideo, an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs a shell command by concatenating the user-controlled url parameter into a wget command and executes it via PHP exec() without proper sanitization. Because shell metacharacters are not neutralized, an attacker can break out of the intended URL argument context and append arbitrary commands, resulting in command injection and remote code execution on the server.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
cloneServer.json.php endpoint. Limit network exposure to trusted administrators only, and if possible block external access to the vulnerable endpoint at the web server, reverse proxy, or firewall layer. Additional hardening includes removing use of shell execution for this workflow, constraining outbound command execution, and running the web application with minimal OS privileges to reduce post-exploitation impact.Remediation
Patch, then assume compromise.
473c609fc2defdea8b937b00e86ce88eba1f15bb, which addresses the unsafe command construction in the CloneSite plugin. If upgrading by source, apply that commit or the equivalent vendor patch to eliminate direct concatenation of untrusted input into shell commands.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.