CVE-2026-33502

Received
Published: 23 Mar 2026, 16:29
Last modified:23 Mar 2026, 16:29

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.3 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

23 Mar 2026, 16:29
Published
Vulnerability first disclosed

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

CVSS Metrics

  • v3.1CRITICALScore: 9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Techniques & Countermeasures

  • CWE-918Server-Side Request Forgery (SSRF)

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Systems

  • wwbnavideo

    ≤ 26.0

References (2)