AVideo Zero-Click Flaw Lets Attackers Hijack Live Streams

A flaw in the open-source AVideo platform requires no authentication and allows attackers to remotely execute commands and take over affected servers.

Exploitation of the vulnerability “… can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption,” said researchers.

Inside the AVideo Server Takeover Risk

AVideo is an open-source platform that enables organizations to host and manage their own video streaming infrastructure. 

Because AVideo typically runs on internet-facing servers, vulnerabilities could allow attackers to hijack streams, access backend systems, or take persistent control of the hosting server.

The vulnerability, tracked as CVE-2026-29058, stems from a command injection flaw in the objects/getImage.php component of the AVideo platform. 

This component is responsible for processing requests related to retrieving images used throughout the platform’s interface.

How the AVideo Command Injection Works

The issue arises when the application processes requests containing a parameter called base64Url. 

When a request is received, the platform decodes the Base64-encoded value provided by the user and inserts the decoded data directly into a shell command used to invoke ffmpeg, a multimedia processing tool responsible for handling video and image manipulation tasks.

Although the application attempts to validate the input using standard URL filtering functions, this validation only checks whether the supplied value appears to be a syntactically valid URL. 

It does not sanitize potentially dangerous shell characters or command substitution sequences that attackers can use to manipulate command execution.

Because the decoded input is inserted into a shell command without proper escaping, attackers can send a specially crafted Base64 payload that injects commands into the ffmpeg execution process.

These injected commands then run with the privileges of the web application process.

Potential Impact of the AVideo Vulnerability

The risk is heightened because the vulnerability is network-accessible and requires no authentication, allowing attackers to exploit it with a specially crafted request. 

If exploited, the flaw could allow attackers to execute commands, deploy malware, steal credentials and configuration data, or disrupt streaming services.

A patch has been released for the vulnerability and there are no reports of exploitation at the time of publication.

Reducing Risk From the AVideo Vulnerability

Organizations running AVideo should address command injection risks, which could otherwise allow attackers to execute code, deploy malware, or disrupt streaming services.

• Patch AVideo to the latest version to properly sanitize user input and prevent command injection.
• Restrict access to the objects/getImage.php endpoint using web server rules, reverse proxies, or strict IP allowlisting.
• Deploy web application firewall (WAF) tools capable of detecting and blocking suspicious Base64-encoded payloads and command injection patterns.
• Monitor server logs, command execution activity, and outbound network connections for signs of exploitation or abnormal behavior.
• Run the AVideo service and related components with least-privilege permissions and isolate them using containers or sandboxing where possible.
• Disable the vulnerable image retrieval component if it is not required for normal platform operations to reduce the attack surface.
• Regularly test incident response plans and run attack simulations around server compromise scenarios.

Together, these measures help reduce the blast radius of a compromise while strengthening the organization’s ability to detect, contain, and recover from attacks.

Risks of Open-Source Software

This vulnerability shows how weaknesses in input validation can expose internet-facing platforms to command injection risks. 

While open-source platforms offer flexibility and transparency, they also require organizations to actively monitor vulnerabilities and apply updates.

These types of risks highlight why organizations are turning to zero trust solutions that assume compromise and continuously verify access.