Cyber Posture

CVE-2026-33351

CriticalPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter…

more

is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of untrusted inputs like $_REQUEST['webSiteRootURL'] to reject or sanitize malicious URLs before server-side fetching with file_get_contents(), directly addressing the lack of input validation.

AC-4 Information Flow Enforcement good match
prevent

Enforces information flow policies that restrict server-side requests to only authorized destinations, preventing SSRF access to internal or arbitrary network resources.

SC-7 Boundary Protection good match
prevent

Implements boundary protections like firewalls or proxies to monitor and block unauthorized outbound requests from the application to internal networks or metadata services.

Security SummaryAI

CVE-2026-33351 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the open source video platform WWBN AVideo, affecting versions prior to 26.0. The flaw exists in the file `plugin/Live/standAloneFiles/saveDVR.json.php` when the AVideo Live plugin is deployed in standalone mode, its intended configuration. There, the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL fetched server-side via `file_get_contents()`, with no authentication, origin validation, or URL allowlisting performed. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

An unauthenticated attacker with network access can exploit this by sending a crafted HTTP request to the vulnerable endpoint, supplying a malicious `webSiteRootURL`. This causes the server to fetch arbitrary URLs, potentially allowing access to internal network resources, metadata services, or cloud infrastructure unreachable from the internet. Successful exploitation leads to high confidentiality and integrity impacts, such as data exfiltration or further compromise via SSRF chaining, with low attack complexity and no user interaction required.

AVideo version 26.0 addresses the issue with a patch. Security practitioners should upgrade to this version immediately. Further details, including the fixing commit, are documented in the GitHub security advisory at GHSA-5f7v-4f6g-74rj and commit d0c54960389eeb85e76caed5a257ae90e6a739f2.

Details

CWE(s)
CWE-918

Affected Products

wwbn
avideo
≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1522 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
Why these techniques?

SSRF in unauthenticated public-facing endpoint (saveDVR.json.php) directly maps to T1190 for initial exploitation; crafted requests to internal/cloud metadata endpoints (e.g., 169.254.169.254) enable T1522 discovery and T1552.005 credential theft with no auth or filtering.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References