Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33502
Published: April 8, 2026 / Updated: April 15, 2026
Vulnerability identifier: #VU125466
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33502
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to send server-side requests to arbitrary URLs and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when handling the statsURL request parameter. A remote attacker can send a specially crafted request to send server-side requests to arbitrary URLs and disclose sensitive information.
The issue can be used to probe localhost and internal network services, including reachable cloud metadata endpoints, and reflected upstream content or errors may be returned to the client.
How to mitigate CVE-2026-33502
Install security update from vendor's website.