CVE-2026-33351
SSRF Vulnerability in WWBN AVideo Live Plugin Allows Server-Side Requests
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33351 is a critical Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo Live plugin, specifically in the file `plugin/Live/standAloneFiles/saveDVR.json.php` when deployed in standalone mode.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that the server fetches using `file_get_contents()` without any authentication, origin validation, or URL allowlisting."}, {'type': 'paragraph', 'content': 'This means an attacker can supply arbitrary URLs, including internal network addresses or cloud metadata endpoints, causing the server to make unauthorized requests on their behalf.'}, {'type': 'paragraph', 'content': 'Additionally, the attacker can bypass DVR token verification by hosting a malicious server that responds with a forged verification response, potentially influencing downstream processing and command execution.'}, {'type': 'paragraph', 'content': 'Although some input sanitization is applied, certain characters allowed in the verification key may enable further exploitation, including command execution in some environments.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have several severe impacts:
- Attackers can perform SSRF attacks to scan and access internal network services and cloud metadata endpoints, potentially exposing sensitive infrastructure details.
- The DVR token verification can be bypassed, allowing attackers to manipulate downstream processes that rely on this verification.
- Potential command execution may be possible due to attacker control over file paths and shell commands, which could lead to further compromise of the server.
- Information disclosure can occur through error messages that leak internal URLs and response contents.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized server-side requests originating from the AVideo Live plugin, especially targeting internal network resources or cloud metadata endpoints.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the `webSiteRootURL` parameter in `plugin/Live/standAloneFiles/saveDVR.json.php`, you can look for HTTP POST requests to this endpoint containing this parameter.'}, {'type': 'paragraph', 'content': 'Network detection commands might include inspecting web server logs or using tools like tcpdump or Wireshark to identify outgoing requests to internal IP ranges or unusual external hosts triggered by the server.'}, {'type': 'list_item', 'content': "Use grep to find suspicious POST requests in web server logs: `grep 'saveDVR.json.php' /var/log/apache2/access.log | grep 'webSiteRootURL'`"}, {'type': 'list_item', 'content': 'Monitor outgoing HTTP requests from the server to internal IPs or metadata endpoints: `tcpdump -i eth0 dst net 169.254.169.254 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16`'}, {'type': 'list_item', 'content': 'Check for unexpected curl or wget commands in process lists or shell history that might indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for error messages leaking URLs or content fetched by the vulnerable script can help identify exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading to AVideo version 26.0 or later, which contains a patch addressing this vulnerability.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Remove the fallback to the user-controlled `webSiteRootURL` parameter entirely, requiring the `$streamerURL` to be set in the configuration file.'}, {'type': 'list_item', 'content': "If fallback is necessary, strictly validate the URL using PHP's `FILTER_VALIDATE_URL` and ensure the scheme is HTTP or HTTPS."}, {'type': 'list_item', 'content': 'Resolve the hostname and block private or reserved IP ranges to prevent SSRF to internal resources.'}, {'type': 'list_item', 'content': 'Apply `escapeshellarg()` to all variables used in `exec()` calls, including `$DVRFileTarget` and `$tmpDVRDir`, to prevent command injection.'}, {'type': 'list_item', 'content': 'Abort processing if `$streamerURL` is empty or invalid after validation.'}, {'type': 'paragraph', 'content': 'Also, monitor logs for suspicious activity and restrict network access from the server to sensitive internal endpoints where possible.'}] [2, 1]