DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33502: CVE-2026-33502: Unauthenticated SSRF and Command Injection in WWBN AVideo

#security #cve #cybersecurity

CVE-2026-33502: Unauthenticated SSRF and Command Injection in WWBN AVideo

Vulnerability ID: CVE-2026-33502
CVSS Score: 9.3
Published: 2026-03-20

WWBN AVideo versions up to and including 26.0 suffer from a critical unauthenticated Server-Side Request Forgery (SSRF) and OS Command Injection vulnerability in the Live plugin's test endpoint. This flaw permits remote attackers to probe internal networks, exfiltrate cloud metadata, and execute arbitrary system commands.

TL;DR

An unauthenticated endpoint in AVideo's Live plugin improperly validates user-supplied URLs, enabling Critical SSRF and OS Command Injection (RCE) via a vulnerable wget system call.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918 (SSRF), CWE-78 (OS Command Injection)
  • Attack Vector: Network (Unauthenticated)
  • CVSS v3.1 Score: 9.3 (Critical)
  • EPSS Score: 0.00045 (15th Percentile)
  • Impact: Remote Code Execution, Data Exfiltration
  • Exploit Status: Proof of Concept (PoC) Available
  • CISA KEV: Not Listed

Affected Systems

  • WWBN AVideo <= 26.0
  • WWBN AVideo Live Plugin
  • AVideo: <= 26.0 (Fixed in: 26.1)

Code Analysis

Commit: 1e6cf03

Fix unauthenticated SSRF and command injection in Live plugin test.php

Exploit Details

  • Technical Blog: Proof of Concept and Technical Analysis of SSRF to RCE vector

Mitigation Strategies

  • Upgrade WWBN AVideo to version 26.1 or later.
  • Restrict network access to plugin/Live/test.php using web server rules.
  • Delete the test.php file if testing functionality is not required.
  • Disable allow_url_fopen in the PHP configuration (php.ini).
  • Implement egress firewall filtering to block web server connections to RFC1918 and cloud metadata IP addresses.

Remediation Steps:

  1. Identify all deployed instances of WWBN AVideo running version 26.0 or earlier.
  2. Navigate to the application root directory and back up the existing database and configuration files.
  3. Pull the latest stable release (>= 26.1) from the official WWBN repository.
  4. Execute the standard AVideo upgrade procedure, ensuring all plugin files are overwritten with the patched versions.
  5. Verify the remediation by attempting to access plugin/Live/test.php with a benign localhost payload; the request should be blocked or return an error.

References

Read the full report for CVE-2026-33502 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)