#VU125454 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33351
Published: April 8, 2026
Vulnerability identifier: #VU125454
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33351
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to perform server-side request forgery and bypass DVR token verification.
The vulnerability exists due to server-side request forgery in plugin/Live/standAloneFiles/saveDVR.json.php when processing the webSiteRootURL request parameter to construct a server-side verification request. A remote attacker can send a specially crafted request with an attacker-controlled URL to perform server-side request forgery and bypass DVR token verification.
The issue is exposed when the AVideo Live plugin is deployed in standalone mode and no configuration file is present.
Remediation
Install security update from vendor's website.