CVE-2026-33502

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo, an open source video platform, contains an unauthenticated server-side request forgery (SSRF) vulnerability in the plugin/Live/test.php file. This allows a remote user to make the AVideo server send HTTP requests to arbitrary URLs. The vulnerability stems from insufficient input validation of the statsURL parameter, which only checks for the presence of 'http' at the beginning of the URL. The url get contents() function then uses file get contents() to make the outbound request, potentially exposing internal services and cloud metadata endpoints if reachable. The endpoint accepts the $ REQUEST['statsURL'] variable. The vulnerability allows probing of localhost and internal services, distinguishing open and closed ports, and potentially retrieving reflected content from internal HTTP services. The test.php file also contains a wget fallback that introduces shell exposure.

Recommendations Versions prior to and including 26.0: Remove plugin/Live/test.php from production deployments. Versions prior to and including 26.0: If the file must remain, require admin authentication. Versions prior to and including 26.0: Only allow requests to explicitly configured Live stats URLs. Versions prior to and including 26.0: Block localhost, RFC1918, link-local, and metadata IP ranges. Versions prior to and including 26.0: Stop reflecting fetched bodies and raw upstream errors to the client. Versions prior to and including 26.0: Remove the wget fallback entirely (lines 94–119 of test.php). Versions prior to and including 26.0: If wget must remain, escape the argument using escapeshellarg(). Versions prior to and including 26.0: Move the file behind the admin panel URL prefix with appropriate access control rules. Versions prior to and including 26.0: Add an isSSRFSafeURL() check before any fetch operation. Versions prior to and including 26.0: Block outbound connections from the web process to RFC1918 addresses at the firewall/egress level.