Platform
php
Component
wwbn/avideo
Opgelost in
26.0.1
26.0.1
CVE-2026-33502 describes a server-side request forgery (SSRF) vulnerability found in the wwbn/avideo component, specifically within the plugin/Live/test.php file. This flaw allows unauthenticated remote users to manipulate the AVideo server into sending HTTP requests to arbitrary URLs, potentially exposing internal resources. The vulnerability affects versions of wwbn/avideo up to and including 26.0, and a fix is expected to be released by the vendor.
The SSRF vulnerability in wwbn/avideo poses a significant risk because it allows attackers to bypass security controls and interact with internal systems. An attacker could use this vulnerability to scan internal networks for open ports and services, access sensitive data stored on internal HTTP endpoints, or even retrieve cloud metadata containing credentials. This could lead to data breaches, unauthorized access to internal resources, and potentially, complete compromise of the affected system. The lack of authentication required to exploit the vulnerability amplifies the potential impact, as any remote user can attempt to leverage it.
CVE-2026-33502 was publicly disclosed on 2026-03-20. The vulnerability is relatively straightforward to exploit, given the lack of authentication and the simple validation of the statsURL parameter. No public proof-of-concept (PoC) code has been identified at the time of writing, but the ease of exploitation suggests that a PoC is likely to emerge. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation.
Organizations deploying wwbn/avideo versions 26.0 or earlier are at risk. This includes environments where the AVideo component is exposed to the internet or internal networks without adequate security controls. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• php: Examine access logs for outbound HTTP requests originating from the AVideo server to unusual or internal IP addresses. Look for requests containing suspicious URLs in the statsURL parameter.
grep 'statsURL=.*://' /var/log/apache2/access.log• php: Review the plugin/Live/test.php file for the vulnerable code snippet. Check for any modifications that might attempt to bypass the rudimentary input validation.
cat plugin/Live/test.php | grep statsURL• generic web: Monitor network traffic for outbound HTTP requests from the AVideo server to unexpected destinations. Use tools like tcpdump or Wireshark to capture and analyze network packets.
disclosure
Exploit Status
EPSS
0.05% (17% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-33502 is to upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds. A Web Application Firewall (WAF) or reverse proxy can be configured to filter outbound HTTP requests, blocking those destined for internal or unauthorized domains. Strict input validation on the statsURL parameter, ensuring it adheres to a whitelist of allowed domains, can also reduce the attack surface. Monitor access logs for suspicious outbound requests to internal IP addresses or unusual domains.
Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se corrige en el commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. Esto evitará que usuarios no autenticados realicen solicitudes SSRF a través del plugin Live.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33502 is a CRITICAL SSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to make the server send HTTP requests to arbitrary URLs, potentially exposing internal resources.
You are affected if you are using wwbn/avideo version 26.0 or earlier. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of wwbn/avideo. Until then, implement WAF rules or input validation to restrict outbound requests.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of exploitation.
Refer to the official wwbn/avideo security advisories for the latest information and patch releases.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.