CVE-2026-33502

CRITICAL

9.3

Descripcion

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

Detalles CVE

Puntuacion CVSS v3.19.3

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado3/23/2026

Ultima modificacion3/24/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

wwbn:avideo

Debilidades (CWE)

CWE-918

Referencias

https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3(security-advisories@github.com)

https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc(security-advisories@github.com)

https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.