SB2026050470 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 9 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33351)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to perform server-side request forgery and bypass DVR token verification.

The vulnerability exists due to server-side request forgery in plugin/Live/standAloneFiles/saveDVR.json.php when processing the webSiteRootURL request parameter to construct a server-side verification request. A remote attacker can send a specially crafted request with an attacker-controlled URL to perform server-side request forgery and bypass DVR token verification.

The issue is exposed when the AVideo Live plugin is deployed in standalone mode and no configuration file is present.

2) External Control of File Name or Path (CVE-ID: CVE-2026-33354)

CWE-ID: CWE-73 - External Control of File Name or Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to external control of file name or path in aVideoEncoder.json.php when processing a requester-controlled chunkFile parameter. A remote user can send a specially crafted POST request with an arbitrary local filesystem path to disclose sensitive information.

Exploitation requires an authenticated account with upload permission, ownership of an editable video record, and that the target file is readable by the web application user.

3) SQL injection (CVE-ID: CVE-2026-33485)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to sql injection in the RTMP on_publish callback when processing the stream name parameter in requests to plugin/Live/on_publish.php. A remote attacker can send a specially crafted stream name parameter to disclose sensitive information.

The issue is reachable without authentication, and the unconditional injection path is triggered without requiring the additional p parameter.

4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33483)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the objects/aVideoEncoderChunk.json.php endpoint when handling arbitrary POST data. A remote attacker can send specially crafted requests with large request bodies to cause a denial of service.

The endpoint is accessible without authentication, created temporary files persist without cleanup, and the response discloses the full temporary file path.

5) OS Command Injection (CVE-ID: CVE-2026-33482)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in sanitizeFFmpegCommand() in plugin/API/standAlone/functions.php when processing a crafted encrypted ffmpeg command that is later executed via sh -c. A remote attacker can send a specially crafted encrypted payload containing $() command substitution to execute arbitrary commands.

Exploitation requires the ability to craft a valid encrypted payload, and legacy installations without saltV2 are at higher risk.

6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33480)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerability exists due to server-side request forgery in plugin/LiveLinks/proxy.php and isSSRFSafeURL() when handling user-supplied URLs containing IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted request to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerable endpoint is unauthenticated, and the fetched response content is echoed back to the requester.

7) SQL injection (CVE-ID: CVE-2026-33352)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary SQL commands to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to SQL injection in the getAllCategories() method in objects/category.php when handling the doNotShowCats request parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL commands to disclose sensitive information, modify data, or cause a denial of service.

The issue can be exploited by using a backslash escape technique to bypass single-quote stripping and alter SQL string boundaries.

8) Code Injection (CVE-ID: CVE-2026-33479)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to code injection in saveSort.json.php through use of eval() when processing a cross-site request forgery request targeting an administrator session. A remote attacker can cause an administrator to submit a specially crafted request to execute arbitrary code.

User interaction is required, and exploitation occurs through cross-site request forgery against an administrator.

9) OS Command Injection (CVE-ID: CVE-2026-33478)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in an os command in plugin/CloneSite/cloneClient.json.php when processing the videosDir value from a clone server response during clone operations. A remote attacker can supply a specially crafted videosDir value to execute arbitrary code.

Exploitation is possible as part of a chain in which clone secret keys are disclosed without authentication and used to obtain a database dump containing trivially crackable MD5 password hashes for administrative accounts.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj
• https://github.com/advisories/GHSA-5f7v-4f6g-74rj
• https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx
• https://github.com/advisories/GHSA-8p58-35c3-ccxx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w
• https://github.com/WWBN/AVideo/security/advisories/GHSA-pmj8-r2j7-xg6c
• https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh
• https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj
• https://github.com/advisories/GHSA-mcj5-6qr4-95fj
• https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh
• https://github.com/WWBN/AVideo/security/advisories
• https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68
• https://github.com/advisories/GHSA-687q-32c6-8x68