CVE-2026-33502 — Server-Side Request Forgery in Avideo

CWE-918 — Server-Side Request Forgery CWE-78 — OS Command Injection5 documents4 sources

Severity

8.2HIGHNVD

EPSS

0.1%

top 83.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 23

Latest updateApr 14

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection↗2026-04-14

▶

OSV

AVideo has Unauthenticated SSRF via plugin/Live/test.php↗2026-03-20

▶

GHSA

AVideo has Unauthenticated SSRF via plugin/Live/test.php↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33502 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶