AVideo Encoder getImage.php Command Injection (CVE-2026-29058)
Overview
AVideo Encoder getImage.php Command Injection, tracked as CVE-2026-29058, affects AVideo Encoder versions before 7.0. AVideo is a video-sharing platform, and the encoder component handles media processing workflows that often run with access to application files, temporary storage, and server-side tooling.
Vulnerability Overview
CVE-2026-29058 is an unauthenticated OS command injection vulnerability in AVideo Encoder. The issue is tied to the base64Url GET parameter in objects/getImage.php, where unsafe handling allows command substitution to reach the server runtime.
The vulnerability is fixed in AVideo Encoder 7.0.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated attackers to execute arbitrary operating system commands on the server.
The potential impact includes full server compromise, data exfiltration, exposure of configuration secrets, and service disruption.
Vulnerability Scope
The affected product is AVideo Encoder before version 7.0. Deployments running version 7.0 or later are outside the vulnerable version range identified by the advisory.
The highest-risk systems are public AVideo Encoder deployments where the vulnerable getImage.php route is reachable by unauthenticated users.
Lab Focus
This Hackviser lab focuses on understanding how unsafe input handling in media helper endpoints can become command injection. You will practice identifying affected AVideo Encoder versions, recognizing unauthenticated command execution impact, and connecting media processing exposure to application hardening.