Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33502 describes a server-side request forgery (SSRF) vulnerability found in the wwbn/avideo component, specifically within the plugin/Live/test.php file. This flaw allows unauthenticated remote users to manipulate the AVideo server into sending HTTP requests to arbitrary URLs, potentially exposing internal resources. The vulnerability affects versions of wwbn/avideo up to and including 26.0, and a fix is expected to be released by the vendor.
The SSRF vulnerability in wwbn/avideo poses a significant risk because it allows attackers to bypass security controls and interact with internal systems. An attacker could use this vulnerability to scan internal networks for open ports and services, access sensitive data stored on internal HTTP endpoints, or even retrieve cloud metadata containing credentials. This could lead to data breaches, unauthorized access to internal resources, and potentially, complete compromise of the affected system. The lack of authentication required to exploit the vulnerability amplifies the potential impact, as any remote user can attempt to leverage it.
CVE-2026-33502 was publicly disclosed on 2026-03-20. The vulnerability is relatively straightforward to exploit, given the lack of authentication and the simple validation of the statsURL parameter. No public proof-of-concept (PoC) code has been identified at the time of writing, but the ease of exploitation suggests that a PoC is likely to emerge. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33502 is to upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds. A Web Application Firewall (WAF) or reverse proxy can be configured to filter outbound HTTP requests, blocking those destined for internal or unauthorized domains. Strict input validation on the statsURL parameter, ensuring it adheres to a whitelist of allowed domains, can also reduce the attack surface. Monitor access logs for suspicious outbound requests to internal IP addresses or unusual domains.
Update AVideo to a version later than 26.0. The vulnerability is fixed in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. This will prevent unauthenticated users from performing SSRF requests through the Live plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33502 is a CRITICAL SSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to make the server send HTTP requests to arbitrary URLs, potentially exposing internal resources.
You are affected if you are using wwbn/avideo version 26.0 or earlier. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of wwbn/avideo. Until then, implement WAF rules or input validation to restrict outbound requests.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of exploitation.
Refer to the official wwbn/avideo security advisories for the latest information and patch releases.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.