Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33351
Published: April 8, 2026
Vulnerability identifier: #VU125454
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33351
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to perform server-side request forgery and bypass DVR token verification.
The vulnerability exists due to server-side request forgery in plugin/Live/standAloneFiles/saveDVR.json.php when processing the webSiteRootURL request parameter to construct a server-side verification request. A remote attacker can send a specially crafted request with an attacker-controlled URL to perform server-side request forgery and bypass DVR token verification.
The issue is exposed when the AVideo Live plugin is deployed in standalone mode and no configuration file is present.
How to mitigate CVE-2026-33351
Install security update from vendor's website.