CVE-2026-33351

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the plugin/Live/standAloneFiles/saveDVR.json.php file of AVideo Live plugin when deployed in standalone mode. The $ REQUEST['webSiteRootURL'] parameter is used directly to construct a URL fetched server-side via file get contents() without authentication, origin validation, or URL allowlisting. This allows an attacker to potentially access internal network resources, cloud metadata endpoints, and bypass authentication by redirecting the verification check to an attacker-controlled server. The vulnerability resides in lines 5-28 of the affected file. The $ REQUEST['webSiteRootURL'] parameter is attacker-controlled and used in a file get contents() call without proper validation. The verification bypass allows an attacker to control the processing flow, and the allowed colon character in the regex on the $key variable could be leveraged for further exploitation.

Recommendations Versions prior to 26.0: Remove the user-controlled webSiteRootURL fallback entirely, or if it must remain for backward compatibility, validate it against a strict allowlist. Apply escapeshellarg() to all variables used in exec() calls, including $DVRFileTarget and $tmpDVRDir.