Critical severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo has Unauthenticated SSRF via plugin/Live/test.php
CVE-2026-33502
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in plugin/Live/test.php allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3fpm-8rjr-v5mcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33502ghsaADVISORY
- github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.