A vulnerability has been found in AVideo 29.0 and classified as critical. This affects an unknown part of the file ffmpeg.json.php of the component FFmpeg JSON Endpoint. Performing a manipulation of the argument notifyCode/callback results in os command injection.

This vulnerability is reported as CVE-2026-63305. The attack is possible to be carried out remotely. No exploit exists.