SB20260408173 - Multiple vulnerabilities in AVideo
Published: April 8, 2026 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-29093)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to read, modify, or flush session data.
The vulnerability exists due to exposure of resource to wrong sphere in the memcached service and PHP session store configuration when the published memcached port is reachable over the network. A remote attacker can connect to the exposed memcached service and issue memcached commands to read, alter, or delete session data.
Session data contains authentication state including user identifiers, admin flags, email addresses, and password hashes.
2) Insecure Default Initialization of Resource (CVE-ID: CVE-2026-33037)
CWE-ID: CWE-1188 - Insecure Default Initialization of Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain administrative access to the application.
The vulnerability exists due to insecure default initialization of resource in the official Docker deployment manifests and automated installer when deploying AVideo without overriding the default admin password. A remote attacker can log in with the predictable default admin credential to gain administrative access to the application.
Exploitation depends on deployments that retain the default SYSTEM_ADMIN_PASSWORD value during installation.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33038)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain full administrative access to the application.
The vulnerability exists due to missing authentication for critical function in install/checkConfiguration.php when processing unauthenticated POST requests on uninitialized deployments. A remote attacker can send a specially crafted POST request to gain full administrative access to the application.
Exploitation is possible only when the deployment is in an uninitialized state and videos/configuration.php does not yet exist.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33039)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information from internal services.
The vulnerability exists due to server-side request forgery (SSRF) in plugin/LiveLinks/proxy.php when processing a user-supplied URL that returns an HTTP redirect. A remote attacker can supply a crafted URL that redirects to an internal endpoint to disclose sensitive information from internal services.
The issue occurs because the redirect target is fetched without re-validation, and the returned response can include cloud metadata such as IAM credentials.
5) Arbitrary file upload (CVE-ID: CVE-2026-28502)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in the plugin upload/import functionality when processing uploaded plugin ZIP archives. A remote user can upload a specially crafted ZIP archive containing executable server-side files to execute arbitrary code.
The uploaded archive is extracted into a web-accessible plugin directory.
6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33294)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information from internal network resources.
The vulnerability exists due to server-side request forgery (SSRF) in plugin/BulkEmbed/save.json.php when fetching user-supplied thumbnail URLs. A remote user can send a specially crafted save request with an internal URL to disclose sensitive information from internal network resources.
The HTTP response body is saved as the video thumbnail and can be retrieved by viewing the saved poster image, resulting in a scope change into internal network or cloud metadata resources.
Remediation
Install update from vendor's website.
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9
- https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9
- https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx
- https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw
- https://github.com/WWBN/AVideo/security/advisories/GHSA-v8jw-8w5p-23g3
- https://github.com/advisories/GHSA-v8jw-8w5p-23g3
- https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p