Vulnerabilities3 min read
AVideo RCE Chain Gives Attackers Full Server Access Without Auth
Three vulnerabilities in AVideo's CloneSite plugin chain together for unauthenticated remote code execution. CVE-2026-33478 has no patch available as attackers can extract admin credentials and inject OS commands.
Marcus ChenMar 23, 2026