Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the plugin/Live/standAloneFiles/saveDVR.json.php file of the AVideo Live plugin. This flaw allows attackers to trigger server-side requests to arbitrary URLs, potentially leading to unauthorized access to internal resources. The vulnerability affects versions of the plugin up to and including 26.0, and is particularly concerning in standalone deployments where the file is intended to be used. A fix is available in version 26.0.
The SSRF vulnerability in AVideo Live Plugin allows an attacker to manipulate the $REQUEST['webSiteRootURL'] parameter, which is then directly used in fileget_contents() to fetch URLs. Because no authentication, origin validation, or URL allowlisting is implemented, an attacker can craft malicious requests to access sensitive internal files, interact with internal services, or even potentially exfiltrate data. The standalone deployment configuration exacerbates the risk, as it removes typical web application security boundaries. This could lead to data breaches, privilege escalation, and compromise of the entire system.
This vulnerability was publicly disclosed on 2026-03-19. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The lack of authentication and direct use of user-supplied input in a server-side request function aligns with common SSRF exploitation patterns. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing the AVideo Live plugin in standalone mode are particularly at risk. This includes deployments where the plugin is used to stream live video content and requires direct access to internal resources for configuration or data storage. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromised plugin instance could potentially be used to attack other users on the same server.
• php: Examine access logs for requests to plugin/Live/standAloneFiles/saveDVR.json.php with unusual values in the webSiteRootURL parameter. Look for requests using protocols like file:// or gopher://.
grep 'saveDVR.json.php.*webSiteRootURL=' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with a crafted webSiteRootURL parameter pointing to an internal resource. Verify that the server attempts to access the resource.
curl 'http://your-avideo-server/plugin/Live/standAloneFiles/saveDVR.json.php?webSiteRootURL=http://localhost/sensitive_data' -sdisclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33351 is to upgrade the AVideo Live plugin to version 26.0 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs in the webSiteRootURL parameter. Additionally, restrict network access to the server hosting the plugin to only allow necessary connections. Monitor access logs for unusual outbound requests originating from the plugin’s directory. After upgrading, confirm the fix by attempting to access an internal resource via the vulnerable endpoint; the request should be blocked or result in an error.
Aktualisieren Sie AVideo auf Version 26.0 oder höher. Diese Version enthält eine Korrektur für die SSRF-Schwachstelle im Live-Plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33351 is a critical SSRF vulnerability in the AVideo Live plugin, allowing attackers to make server-side requests to arbitrary resources. Versions affected are those prior to 26.0.
You are affected if you are using the AVideo Live plugin in standalone mode and are running a version prior to 26.0.
Upgrade the AVideo Live plugin to version 26.0 or later. As a temporary workaround, implement a WAF rule to block suspicious webSiteRootURL values.
While no confirmed exploitation is currently reported, the ease of exploitation suggests a high probability of active scanning and potential attacks.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-33351.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.