CVE-2026-33351 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-33351 affects the WWBN AVideo platform, a widely used open source video management system that provides hosting and streaming capabilities for multimedia content. This particular flaw exists within the Live plugin's standalone file implementation, specifically in the `saveDVR.json.php` script that handles DVR (Digital Video Recorder) functionality. The issue represents a critical security weakness that undermines the platform's server-side security posture and potentially exposes organizations to significant operational risks.
The technical flaw manifests through a Server-Side Request Forgery vulnerability classified under CWE-918, where the application fails to properly validate or sanitize user input before using it in server-side operations. The vulnerable code directly incorporates the `$_REQUEST['webSiteRootURL']` parameter into URL construction without any form of input validation, authentication checks, or origin verification mechanisms. When the standalone Live plugin configuration is deployed, the application constructs a URL using this parameter and subsequently fetches content server-side through the `file_get_contents()` function, creating an attack vector that allows malicious actors to make arbitrary server-side requests to internal or external resources.
The operational impact of this vulnerability extends beyond simple data exfiltration or service disruption, as it provides attackers with the ability to perform reconnaissance on internal network resources that may otherwise be protected by firewalls or network segmentation. An attacker could leverage this flaw to access internal services, databases, or other sensitive systems that are not directly exposed to the internet but are reachable from the server hosting the AVideo platform. This vulnerability particularly affects organizations that rely on the standalone Live plugin configuration, which is the intended deployment method for this specific file, making the attack surface more predictable and exploitable for threat actors. The lack of authentication requirements means that any user with access to the vulnerable endpoint could potentially exploit this weakness without requiring elevated privileges.
Organizations using affected versions of AVideo should immediately implement mitigations including upgrading to version 26.0 or later, which contains the necessary patch for this vulnerability. Additional protective measures should include implementing network segmentation to limit access to the vulnerable endpoint, configuring proper input validation and sanitization for all user-supplied parameters, and establishing monitoring mechanisms to detect anomalous server-side requests. The vulnerability aligns with ATT&CK technique T1071.004 for application layer protocol tunneling and T1566 for malicious file execution, highlighting the need for comprehensive security controls that address both network-level and application-level threats. Security teams should also consider implementing web application firewalls to filter malicious requests and establish regular security assessments to identify similar vulnerabilities in other components of their video platform infrastructure.