Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the plugin/Live/standAloneFiles/saveDVR.json.php file of the AVideo Live plugin. This flaw allows attackers to trigger server-side requests to arbitrary internal or external resources by manipulating the webSiteRootURL parameter. Versions of the plugin prior to 26.0 are affected, and an upgrade is required to address this vulnerability. The vulnerability was publicly disclosed on 2026-03-19.
The SSRF vulnerability in the AVideo Live plugin allows an attacker to craft malicious requests that the server will execute. Because the webSiteRootURL parameter is used directly in filegetcontents() without validation, an attacker can control the destination of these requests. This could lead to the exposure of sensitive internal resources, such as configuration files, database credentials, or internal APIs. Furthermore, an attacker could potentially use the server as a proxy to scan internal networks or interact with other internal services, leading to lateral movement within the network. The standalone deployment model exacerbates the risk, as it is intended for environments where the plugin has greater access to internal resources.
This vulnerability is considered high probability due to the ease of exploitation and the lack of authentication or validation. Public proof-of-concept code is likely to emerge given the straightforward nature of the SSRF. The vulnerability was published on 2026-03-19, and it is reasonable to expect active scanning and potential exploitation attempts. No KEV listing or confirmed exploitation reports are currently available.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33351 is to upgrade the AVideo Live plugin to version 26.0 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious values in the webSiteRootURL parameter. Specifically, look for unusual protocols (e.g., file://, gopher://) or internal IP addresses. Additionally, restrict network access to the server hosting the plugin to only allow necessary connections. After upgrading, verify the fix by attempting to access an internal resource via the vulnerable parameter; the request should be rejected.
Update AVideo to version 26.0 or higher. This version contains a fix for the SSRF vulnerability in the Live plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33351 is a critical SSRF vulnerability in the AVideo Live plugin, allowing attackers to make server-side requests to arbitrary resources. Versions affected are those prior to 26.0.
You are affected if you are using the AVideo Live plugin in standalone mode and are running a version prior to 26.0.
Upgrade the AVideo Live plugin to version 26.0 or later. As a temporary workaround, implement a WAF rule to block suspicious webSiteRootURL values.
While no confirmed exploitation is currently reported, the ease of exploitation suggests a high probability of active scanning and potential attacks.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-33351.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.