CVE-2026-33351 — Server-Side Request Forgery in Avideo

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 76.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 19

PublishedMar 23

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass↗2026-03-19

▶

GHSA

AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33351 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶