PHP RCE (CVE-2026-33351)

Patch now - CVE-2026-33351 is a critical server-side request forgery in WWBN AVideo (all plugin versions prior to 26.0) that lets unauthenticated attackers abuse the Live plugin to probe internal networks and steal cloud metadata, often leading to full server compromise. Update to version 26.0 immediately to block the flaw.

Overview

A critical security vulnerability, identified as CVE-2026-33351, has been discovered in WWBN AVideo, an open-source video platform. This flaw is a Server-Side Request Forgery (SSRF) that affects systems running the AVideo Live plugin in its standalone configuration. If exploited, it could allow an attacker to compromise the server.

Vulnerability Details

In simple terms, this vulnerability exists in a specific file (saveDVR.json.php) used by the Live plugin. The flaw allows an attacker to trick the AVideo server into making web requests to locations it should not access. This is possible because the software uses unvalidated user input-specifically the webSiteRootURL parameter-to build a URL that the server then fetches data from. No authentication or checks are performed to ensure the request is legitimate, making it easy to exploit.

Impact

The impact of this SSRF vulnerability is severe (CVSS score: 9.1). A successful attack could allow a remote, unauthenticated attacker to:

• Make requests to the server’s own internal systems that are normally hidden behind a firewall (like databases or administrative interfaces).
• Probe the internal network to map out services for further attacks.
• Potentially access sensitive data from internal services or cloud metadata, which could lead to a full system compromise. Such breaches can result in significant data loss and operational disruption. For context on the real-world impact of data exposure, you can review recent incidents in our breach reports.

Remediation and Mitigation

The primary and most effective action is to update your WWBN AVideo installation immediately.

1. Patch Immediately: Upgrade to WWBN AVideo version 26.0 or later. This version contains the necessary fix to properly validate requests and prevent SSRF exploitation. Always obtain software updates directly from the official project repository.

2. Temporary Mitigation (If Patching is Delayed): If an immediate update is not possible, consider disabling the affected Live plugin component or restricting network access to the AVideo server at the firewall level to block unexpected outbound requests. These are temporary measures and do not replace the need to apply the official patch.

3. General Security Hygiene: This incident underscores the importance of keeping all software components up to date. Regularly review and apply security patches for your entire software stack. For ongoing updates on vulnerabilities and threats, follow our security news section.

Organizations using WWBN AVideo should treat this as a high-priority update due to the critical nature and ease of exploitation of this flaw.