CloneSite bug chain yields unauthenticated RCE in AVideo

TL;DR — A chained CloneSite exposure in AVideo can let unauthenticated attackers trigger a database dump and pivot into OS command execution.

What happened

AVideo is an open-source PHP video platform (Composer package avideo/avideo) commonly self-hosted for streaming and media library use.

CVE-2026-33478 describes a multi-step, unauthenticated attack chain in the CloneSite plugin that ends in remote code execution. Per the CVE record, the chain starts with plugin/CloneSite/clones.json.php exposing clone “secret keys” without authentication. Those keys can then be used against plugin/CloneSite/cloneServer.json.php to trigger a full database dump that is written to a web-accessible location. The dump includes admin password hashes stored as MD5 (called out as trivially crackable in the advisory).

With recovered admin access, the attacker can then reach an OS command injection in the rsync command construction in plugin/CloneSite/cloneClient.json.php, enabling arbitrary command execution. The CVE record scores this as CVSS v3.1 10.0 (Critical).

This is a high-priority pattern for platform teams because it combines (1) unauthenticated secret material disclosure, (2) automated database exfiltration, and (3) command injection in deployment/replication tooling — a “chainable” failure mode that tends to be wormable in real-world scanning campaigns.

Who is impacted

• Deployments running WWBN/AVideo (Composer: avideo/avideo) in versions <= 26.0.
• Environments where the CloneSite plugin endpoints are reachable from untrusted networks.

What to do now

• Follow advisory remediation guidance (GitHub Security Advisory referenced by the CVE):

  "Add authentication to clones.json.php" "Don't store SQL dumps in web-accessible directories" "Upgrade password hashing — replace MD5 with password_hash()" "Sanitize rsync command parameters — use escapeshellarg() on all interpolated values"

• Validate whether you have any public exposure of CloneSite endpoints (particularly plugin/CloneSite/clones.json.php and plugin/CloneSite/cloneServer.json.php) and reduce access to trusted admin networks only.
• The CVE record references a fixing commit (c85d076375fab095a14170df7ddb27058134d38c). If you maintain an internal fork or build from source, review and apply the upstream patch as appropriate for your release process.
• If compromise is suspected, treat this as a trust-boundary incident (database dump + admin credential recovery + command execution). Prioritize: reviewing web access logs for CloneSite endpoints, rotating credentials stored in the database, and checking for unexpected system process execution on the web host.