CVE-2026-33502

Published: Mar 23, 2026Modified: Mar 24, 2026

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability: 3.9 / Impact: 4.2

Source: NVD

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

Affected (1)

Products: Wwbn: Avideo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wwbn Avideo	Up to 26.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3

Source: security-advisories@github.com

Patch

https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitMitigationVendor Advisory

Timeline

No history available yet.