Description
This module exploits an unauthenticated OS command injection vulnerability in AVideo Encoder's getImage.php endpoint (CVE-2026-29058).
The base64Url GET parameter is base64-decoded and injected directly into an ffmpeg shell command within double quotes, without any sanitization or use of escapeshellarg(). PHP's FILTER_VALIDATE_URL check does not block shell metacharacters such as $() in the URL path, allowing command substitution.
A crafted URL like http://x/$(cmd) passes FILTER_VALIDATE_URL and is interpolated into: ffmpeg -i "{$url}" ... resulting in arbitrary command execution as www-data.
The Encoder code is served by the main AVideo Apache container (mounted at /Encoder), so exploitation gives access to the main application context including database credentials and configuration.
Fixed in AVideo Encoder version 7.0 (commit 78178d1) which added escapeshellarg() and shell metacharacter stripping.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/avideo_encoder_getimage_cmd_injectionmsf undefined(avideo_encoder_getimage_cmd_injection) > show actions ...actions...msf undefined(avideo_encoder_getimage_cmd_injection) > set ACTION < action-name >msf undefined(avideo_encoder_getimage_cmd_injection) > show options ...show and set options...msf undefined(avideo_encoder_getimage_cmd_injection) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub