CVE-2026-33502
Published: 23 March 2026
Summary
CVE-2026-33502 is a critical-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires applying the specific patch (commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3) to eliminate the SSRF vulnerability in plugin/Live/test.php.
Information input validation directly prevents SSRF by checking and restricting the arbitrary URL parameter supplied to test.php.
Information flow enforcement policies restrict the AVideo server from sending requests to unauthorized internal or localhost destinations prompted by external inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing AVideo component directly enables T1190 exploitation; description explicitly notes probing of internal services (T1046) and cloud metadata endpoints (T1522).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can…
more
be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
Deeper analysisAI
CVE-2026-33502 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting WWBN AVideo, an open-source video platform. The flaw exists in versions up to and including 26.0, specifically within the `plugin/Live/test.php` component. It enables unauthenticated remote users to manipulate the AVideo server into sending HTTP requests to arbitrary URLs.
Any unauthenticated attacker with network access to the AVideo server can exploit this vulnerability due to its lack of authentication requirements (PR:N). Exploitation allows the attacker to probe localhost and internal services, potentially accessing sensitive internal HTTP resources or cloud metadata endpoints if reachable from the server. The CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) reflects its critical severity, driven by high confidentiality impact across a changed scope.
Mitigation is available via commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3, which patches the issue. Additional details on the vulnerability and remediation are outlined in the GitHub Security Advisory GHSA-3fpm-8rjr-v5mc, accessible at https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc, with the patch commit at https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3.
Details
- CWE(s)