From b263ba78fa13e2802d73c602269c23ffa2f3d25b Mon Sep 17 00:00:00 2001
From: jenkins-metasploit <jenkins-metasploit@build-production.r7ops.com>
Date: Wed, 18 Mar 2026 23:56:12 +0000
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 58 +++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index b56824c499..9046650175 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -70537,6 +70537,64 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_linux/http/avideo_encoder_getimage_cmd_injection": {
+    "name": "AVideo Encoder getImage.php Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/avideo_encoder_getimage_cmd_injection",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2026-03-05",
+    "type": "exploit",
+    "author": [
+      "arkmarta",
+      "Valentin Lobstein <chocapikk@leakix.net>"
+    ],
+    "description": "This module exploits an unauthenticated OS command injection vulnerability\n          in AVideo Encoder's getImage.php endpoint (CVE-2026-29058).\n\n          The base64Url GET parameter is base64-decoded and injected directly into an\n          ffmpeg shell command within double quotes, without any sanitization or use of\n          escapeshellarg(). PHP's FILTER_VALIDATE_URL check does not block shell\n          metacharacters such as $() in the URL path, allowing command substitution.\n\n          A crafted URL like http://x/$(cmd) passes FILTER_VALIDATE_URL and is interpolated\n          into: ffmpeg -i \"{$url}\" ... resulting in arbitrary command execution as www-data.\n\n          The Encoder code is served by the main AVideo Apache container (mounted at\n          /Encoder), so exploitation gives access to the main application context including\n          database credentials and configuration.\n\n          Fixed in AVideo Encoder version 7.0 (commit 78178d1) which added escapeshellarg()\n          and shell metacharacter stripping.",
+    "references": [
+      "CVE-2026-29058",
+      "GHSA-9j26-99jh-v26q"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2026-03-06 21:28:39 +0000",
+    "path": "/modules/exploits/linux/http/avideo_encoder_getimage_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/avideo_encoder_getimage_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_linux/http/axis_app_install": {
     "name": "Axis IP Camera Application Upload",
     "fullname": "exploit/linux/http/axis_app_install",