Cyber Resilience

CVE-2026-33502

CriticalPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0044 35.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33502 is a critical-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33502 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting WWBN AVideo, an open-source video platform. The flaw exists in versions up to and including 26.0, specifically within the `plugin/Live/test.php` component. It enables unauthenticated remote users to manipulate the AVideo server into sending HTTP requests to arbitrary URLs.

Any unauthenticated attacker with network access to the AVideo server can exploit this vulnerability due to its lack of authentication requirements (PR:N). Exploitation allows the attacker to probe localhost and internal services, potentially accessing sensitive internal HTTP resources or cloud metadata endpoints if reachable from the server. The CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) reflects its critical severity, driven by high confidentiality impact across a changed scope.

Mitigation is available via commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3, which patches the issue. Additional details on the vulnerability and remediation are outlined in the GitHub Security Advisory GHSA-3fpm-8rjr-v5mc, accessible at https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc, with the patch commit at https://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can…

more

be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing AVideo component directly enables T1190 exploitation; description explicitly notes probing of internal services (T1046) and cloud metadata endpoints (T1522).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33480Same product: Wwbn Avideo
CVE-2026-33039Same product: Wwbn Avideo
CVE-2026-33351Same product: Wwbn Avideo
CVE-2026-27732Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-39370Same product: Wwbn Avideo
CVE-2026-41060Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires applying the specific patch (commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3) to eliminate the SSRF vulnerability in plugin/Live/test.php.

prevent

Information input validation directly prevents SSRF by checking and restricting the arbitrary URL parameter supplied to test.php.

prevent

Information flow enforcement policies restrict the AVideo server from sending requests to unauthorized internal or localhost destinations prompted by external inputs.

References