#VU125466 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33502
Published: April 8, 2026 / Updated: April 15, 2026
Vulnerability identifier: #VU125466
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33502
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to send server-side requests to arbitrary URLs and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when handling the statsURL request parameter. A remote attacker can send a specially crafted request to send server-side requests to arbitrary URLs and disclose sensitive information.
The issue can be used to probe localhost and internal network services, including reachable cloud metadata endpoints, and reflected upstream content or errors may be returned to the client.
Remediation
Install security update from vendor's website.