Wwbn - Avideo - CRITICAL - CVE-2026-33478. The CloneSite plugin in WWBN AVideo, an open-source video platform, has multiple vulnerabilities that allow unauthenticated attackers to execute remote code. The `clones.json.php` endpoint exposes clone secret keys, enabling attackers to trigger a complete database dump through `cloneServer.json.php`. This dump includes admin password hashes in MD5 format, which can be easily cracked. With administrative access, attackers can exploit an OS command injection due to faulty rsync command construction in `cloneClient.json.php`, allowing arbitrary command execution on the server. A patch has been introduced in commit c85d076375fab095a14170df7ddb27058134d38c to remediate these issues.