CVE-2026-33502
published 2026-03-23CVE-2026-33502: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in…
PriorityP355high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.44%
35.3th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
| wwbn | avideo | 0 – 29.0 | — |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
ghsa8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
ghsa·2026-04-14·CVSS 8.2
CVE-2026-33502 [HIGH] CWE-78 WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
### Summary
The incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil.com`.
### Affected Package
- **Ecosystem:** Other
- **Package:** AVideo
- **Affected versions:** = commit 1e6cf03e93b5
### Details
The vulnerable `wget()` function in `plugin/Live/test.php`:
```php
function wget($url, $filename) {
$cmd = "wget --tries=1 {$url} -O {$filename} --no-check-certificate";
exec($cmd);
}
```
Neither `$url` nor `$filename` is passed through `escapeshellarg()`. The URL validation uses `preg_match("/^http/", $url)` which:
- Does not require `://` (matches `httpevil.c
OSV
AVideo has Unauthenticated SSRF via plugin/Live/test.php
osv·2026-03-20
CVE-2026-33502 [CRITICAL] AVideo has Unauthenticated SSRF via plugin/Live/test.php
AVideo has Unauthenticated SSRF via plugin/Live/test.php
### Summary
An unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints.
### Details
The endpoint accepts `$_REQUEST['statsURL']` and only checks that it starts with `http`:
```php
$statsURL = $_REQUEST['statsURL'];
if (empty($statsURL) || $statsURL == "php://input" || !preg_match("/^http/", $statsURL)) {
exit;
}
```
It then calls:
```php
$result = url_get_contents($statsURL, 2);
```
Inside the same file, `url_get_contents()` performs a real outbound request with `file_get_contents()`
GHSA
AVideo has Unauthenticated SSRF via plugin/Live/test.php
ghsa·2026-03-20
CVE-2026-33502 [CRITICAL] CWE-918 AVideo has Unauthenticated SSRF via plugin/Live/test.php
AVideo has Unauthenticated SSRF via plugin/Live/test.php
### Summary
An unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints.
### Details
The endpoint accepts `$_REQUEST['statsURL']` and only checks that it starts with `http`:
```php
$statsURL = $_REQUEST['statsURL'];
if (empty($statsURL) || $statsURL == "php://input" || !preg_match("/^http/", $statsURL)) {
exit;
}
```
It then calls:
```php
$result = url_get_contents($statsURL, 2);
```
Inside the same file, `url_get_contents()` performs a real outbound request with `file_get_contents()`
No detection rules found.
No public exploits indexed.
2026-03-23
Published