CVE-2026-33502

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc	Exploit Mitigation Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

24 Mar 2026, 17:01

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 -~~	() https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc - Exploit, Mitigation, Vendor Advisory
First Time		Wwbn Wwbn avideo
CPE		cpe:2.3:a:wwbn:avideo::::::::

24 Mar 2026, 16:16

Type	Values Removed	Values Added
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, una vulnerabilidad de falsificación de petición del lado del servidor no autenticada en 'plugin/Live/test.php' permite a cualquier usuario remoto hacer que el servidor AVideo envíe peticiones HTTP a URLs arbitrarias. Esto puede usarse para sondear servicios localhost/internos y, cuando son accesibles, acceder a recursos HTTP internos o puntos finales de metadatos en la nube. El commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contiene un parche.
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc -

23 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 17:16

Updated : 2026-03-24 17:01

NVD link : CVE-2026-33502

Mitre link : CVE-2026-33502

CVE.ORG link : CVE-2026-33502

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-918

Server-Side Request Forgery (SSRF)

9.3 /10