CVE-2026-33502 - Vulnerability Details

- AVideo has Unauthenticated SSRF via plugin/Live/test.php

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

Published: 2026-03-23

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated server‑side request forgery (SSRF) flaw exists in the AVideo video platform at the "plugin/Live/test.php" path. The flaw allows any remote user to instruct the server to send HTTP requests to arbitrary URLs. This can expose internal services, cloud metadata endpoints, or other resources reachable from the AVideo host, potentially leaking sensitive information. The weakness aligns with CWE‑918.

Affected Systems

The vulnerability affects the AVideo platform developed by WWBN. All releases up to and including version 26.0 contain the flaw. A patch commit (1e6cf03e93b5a5318204b010ea28440b0d9a5ab3) has been published to fix the issue; newer releases should be considered safe.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is below 1 %, suggesting low current exploitation probability, but the attack vector is remote, unauthenticated, and requires no special privileges. Based on the description, it is inferred that a determined attacker could trigger the SSRF by issuing HTTP requests from any network accessible to the AVideo server. The vulnerability is not listed in CISA's KEV catalog, so there is no known active exploitation yet, yet the high severity warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to a release newer than 26.0 or apply the patch commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 immediately.
If an upgrade is not possible right away, restrict or disable access to the plugin/Live/test.php endpoint using file‑system permissions or web‑server configuration.
Implement firewall or proxy rules that block outbound HTTP requests from the AVideo server to untrusted destinations.
Monitor application logs for unexpected outbound connections and investigate anomalies.
Keep the AVideo installation regularly updated and review vendor advisories for future security patches.

Generated by OpenCVE AI on March 24, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3fpm-8rjr-v5mc	AVideo has Unauthenticated SSRF via plugin/Live/test.php

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc

History

Tue, 24 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Tue, 24 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Mon, 23 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
Title		AVideo has Unauthenticated SSRF via plugin/Live/test.php
Weaknesses		CWE-918
References		https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-23T16:29:47.822Z

Updated: 2026-03-24T15:13:52.835Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33502

Vulnrichment

Updated: 2026-03-24T14:57:44.229Z

NVD

Status : Analyzed

Published: 2026-03-23T17:16:51.653

Modified: 2026-03-24T17:01:02.653

Link: CVE-2026-33502

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:37:24Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object