{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33351", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-23T13:51:43.972Z", "dateUpdated": "2026-03-23T18:44:50.468Z"}, "containers": {"cna": {"title": "AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj"}, {"name": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:51:43.972Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-5f7v-4f6g-74rj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T18:15:16.129127Z", "id": "CVE-2026-33351", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:44:50.468Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33351", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T18:15:16.129127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:41:09.381Z"}}], "cna": {"title": "AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass", "source": {"advisory": "GHSA-5f7v-4f6g-74rj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2", "name": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:51:43.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33351", "state": "PUBLISHED", "dateUpdated": "2026-03-23T18:44:50.468Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T13:51:43.972Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue."}], "id": "CVE-2026-33351", "lastModified": "2026-03-23T15:57:06.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T14:16:33.423", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T17:35:38.268024+00:00", "value": {"mitigation_remediation": ["Upgrade WWBN AVideo to version 26.0 or newer where the SSRF is patched.", "If an upgrade is not immediately possible, restrict access to the Live plugin\u2019s saveDVR.json.php endpoint by firewall rules or by removing it from the publicly reachable path.", "Disable the Live plugin or configure the application to reject the webSiteRootURL parameter altogether if the functionality is not required."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Server\u2011Side Request Forgery that can bypass verification and request arbitrary URLs"}, "threat_synthesis": {"affected_systems": "The issue affects all WWBN AVideo installations running any version prior to 26.0 when the Live plugin is deployed in its standalone configuration. Version 26.0 incorporates a patch that mitigates the SSRF by correctly validating the webSiteRootURL parameter and implementing proper origin checks.", "description_and_impact": "AVideo contains an authentication\u2011less SSRF flaw in the Live plugin\u2019s saveDVR.json.php file. The webSiteRootURL request parameter is concatenated directly into a file_get_contents call without any validation or allowlisting. This allows an attacker to cause the server to fetch any HTTP or HTTPS URL, providing a path for data exfiltration, internal network reconnaissance, or the ability to reach services behind firewalls. The vulnerability also lets the attacker bypass verification steps inherent to the platform, potentially enabling further privilege escalation or content manipulation.", "risk_and_exploitability": "The CVSS base score of 9.1 indicates a high\u2011severity flaw. Because no authentication is required and the server is instructed to fetch arbitrary URLs, exploitation is straightforward for anyone able to reach the vulnerable endpoint. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the combination of a high CVSS, lack of safeguards, and the public nature of the code base suggests a high likelihood of exploitation in the wild. Attackers can initiate requests simply by submitting a crafted webSiteRootURL value to the saveDVR.json.php endpoint, making the vulnerability readily exploitable."}}}}, "created": "2026-03-24T10:33:52.883322+00:00", "updated": "2026-03-25T21:28:09.478622+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}