CVE-2026-33502

CRITICAL wwbn NVD

CVSS Score 9.3

Severity CRITICAL

Published Mar 23, 2026

Vendor wwbn

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

References

https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc