Description
WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.
Published: 2026-03-23
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server‑Side Request Forgery that can bypass verification and request arbitrary URLs
Action: Patch Immediately
AI Analysis

Impact

AVideo contains an authentication‑less SSRF flaw in the Live plugin’s saveDVR.json.php file. The webSiteRootURL request parameter is concatenated directly into a file_get_contents call without any validation or allowlisting. This allows an attacker to cause the server to fetch any HTTP or HTTPS URL, providing a path for data exfiltration, internal network reconnaissance, or the ability to reach services behind firewalls. The vulnerability also lets the attacker bypass verification steps inherent to the platform, potentially enabling further privilege escalation or content manipulation.

Affected Systems

The issue affects all WWBN AVideo installations running any version prior to 26.0 when the Live plugin is deployed in its standalone configuration. Version 26.0 incorporates a patch that mitigates the SSRF by correctly validating the webSiteRootURL parameter and implementing proper origin checks.

Risk and Exploitability

The CVSS base score of 9.1 indicates a high‑severity flaw. Because no authentication is required and the server is instructed to fetch arbitrary URLs, exploitation is straightforward for anyone able to reach the vulnerable endpoint. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the combination of a high CVSS, lack of safeguards, and the public nature of the code base suggests a high likelihood of exploitation in the wild. Attackers can initiate requests simply by submitting a crafted webSiteRootURL value to the saveDVR.json.php endpoint, making the vulnerability readily exploitable.

Generated by OpenCVE AI on March 23, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 26.0 or newer where the SSRF is patched.
  • If an upgrade is not immediately possible, restrict access to the Live plugin’s saveDVR.json.php endpoint by firewall rules or by removing it from the publicly reachable path.
  • Disable the Live plugin or configure the application to reject the webSiteRootURL parameter altogether if the functionality is not required.

Generated by OpenCVE AI on March 23, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f7v-4f6g-74rj AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.
Title AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T18:44:50.468Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33351

cve-icon Vulnrichment

Updated: 2026-03-23T18:41:09.381Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T14:16:33.423

Modified: 2026-03-23T15:57:06.210

Link: CVE-2026-33351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:09Z

Weaknesses