AVideo Flaws Enable Unauthenticated Takeover and SSRF on Exposed Deployments
WWBN AVideo versions 25.0 and earlier were found to contain two high-severity vulnerabilities that can be exploited without authentication. CVE-2026-33038 allows full application takeover on uninitialized deployments because the exposed install/checkConfiguration.php endpoint can accept unauthenticated POST data to complete setup, create an administrator account, configure the database, and write the application's configuration file. Systems that have not yet created videos/configuration.php are especially at risk, as an attacker can initialize the platform with attacker-controlled credentials and infrastructure, gaining full administrative access.
A second flaw, CVE-2026-33039, affects the plugin/LiveLinks/proxy.php endpoint and enables server-side request forgery (SSRF) through an HTTP redirect bypass. AVideo validates only the initial user-supplied URL, but does not re-validate redirect targets fetched by the proxy logic, allowing attackers to reach internal resources such as RFC1918 addresses and cloud metadata services. Both issues were addressed in AVideo 26.0, with the takeover bug classified as CWE-306 and the SSRF bug as CWE-918.
Timeline
Apr 21, 2026
AVideo LiveLinks DNS rebinding SSRF disclosed as CVE-2026-41055
A new SSRF vulnerability in WWBN AVideo's `plugin/LiveLinks/proxy.php` was disclosed as CVE-2026-41055, affecting version 29.0 and earlier. The issue stems from an incomplete fix using `isSSRFSafeURL()`, which remained vulnerable to DNS rebinding TOCTOU attacks; an updated fix was published in commit `8d8fc0cadb425835b4861036d589abcea4d78ee8`.
Mar 23, 2026
AVideo plugin/Live/test.php SSRF disclosed as CVE-2026-33502
A new unauthenticated SSRF vulnerability in WWBN AVideo was disclosed as CVE-2026-33502, affecting versions up to and including 26.0 via `plugin/Live/test.php`. The flaw allows remote attackers to make the server send HTTP requests to arbitrary URLs, potentially reaching localhost, internal services, and cloud metadata endpoints; a patch was published in commit `1e6cf03e93b5a5318204b010ea28440b0d9a5ab3`.
Mar 23, 2026
AVideo LiveLinks SSRF filter bypass disclosed via IPv4-mapped IPv6
A new unauthenticated SSRF vulnerability in AVideo `plugin/LiveLinks/proxy.php` was disclosed as CVE-2026-33480. The flaw lets attackers bypass `isSSRFSafeURL()` using IPv4-mapped IPv6 addresses such as `::ffff:x.x.x.x`, potentially reaching localhost, internal services, and cloud metadata endpoints; a patch was published in commit `75ce8a579a58c9d4c7aafe453fbced002cb8f373`.
Mar 23, 2026
AVideo standalone Live plugin flaw enabled unauthenticated SSRF
WWBN AVideo before version 26.0 was disclosed as vulnerable to unauthenticated SSRF in `plugin/Live/standAloneFiles/saveDVR.json.php`, where the `webSiteRootURL` parameter was used in a server-side `file_get_contents()` request without authentication or URL allowlisting. The issue affected standalone deployments of the Live plugin and was assigned CVE-2026-33351.
Mar 20, 2026
AVideo session ID disclosure and permissive CORS enabled session hijacking
WWBN AVideo versions 25.0 and earlier were found to expose the current PHP session ID through /objects/phpsessionid.json.php to unauthenticated requests, while reflecting arbitrary Origin headers and allowing credentialed cross-origin requests. The combination enabled cross-origin session theft and potential full account takeover.
Mar 20, 2026
WWBN fixed both AVideo flaws in version 26.0
WWBN addressed the unauthenticated installer takeover issue and the LiveLinks proxy SSRF issue in AVideo version 26.0, as reflected in the published advisory and referenced source code fix.
Mar 20, 2026
AVideo Docker deployment exposed instances via default admin credentials
WWBN AVideo versions 25.0 and earlier were reported to use predictable default credentials in the official Docker deployment path, including an admin password of "password" and database credentials of avideo/avideo if operators did not override them. The issue could allow immediate administrative takeover of newly deployed instances and was fixed in version 26.0.
Mar 20, 2026
AVideo LiveLinks proxy flaw enabled SSRF via redirect bypass
WWBN AVideo versions 25.0 and earlier were found vulnerable to unauthenticated SSRF in plugin/LiveLinks/proxy.php because only the initial URL was validated, allowing attacker-controlled redirects to reach internal services such as RFC1918 and cloud metadata endpoints.
Mar 20, 2026
AVideo installer flaw exposed uninitialized deployments to takeover
WWBN AVideo versions 25.0 and earlier were found to allow unauthenticated application takeover through install/checkConfiguration.php on uninitialized deployments, enabling database setup, admin account creation, and configuration writing from unauthenticated input.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
3 more from sources like cvefeed high severity
Related Stories
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
1 months ago
AVideo CloneSite Flaws Enable File Deletion and Unauthenticated RCE
WWBN **AVideo** was found to contain multiple high-severity flaws in its `CloneSite` plugin that can be abused for destructive attacks and full server compromise. One issue, tracked as `CVE-2026-33293`, affects versions prior to **26.0** and allows arbitrary file deletion through path traversal in the `deleteDump` parameter of `plugin/CloneSite/cloneServer.json.php`. Because the value was passed directly to `unlink()` without sanitization, an attacker with valid clone credentials could use `../../` sequences to remove arbitrary files such as `configuration.php`, causing denial of service and potentially weakening other protections. A second issue, `CVE-2026-33478`, describes a broader attack chain in AVideo versions up to and including **26.0** that can lead to **unauthenticated remote code execution**. The `clones.json.php` endpoint exposed clone secret keys without authentication, which could then be used to trigger a full database dump via `cloneServer.json.php`; the dump reportedly included admin password hashes stored as **MD5**, enabling attackers to recover credentials and gain administrative access. From there, an OS command injection flaw in `cloneClient.json.php` involving `rsync` command construction could be used to execute arbitrary system commands. The vulnerabilities were mapped to `CWE-22`, `CWE-78`, and `CWE-284`, and fixes were released by WWBN, including a patch referenced in commit `c85d076375fab095a14170df7ddb27058134d38c`.
1 weeks ago
Unauthenticated OS Command Injection in AVideo via `base64Url` Parameter
A critical, **zero-click unauthenticated OS command injection** vulnerability was disclosed in the open-source video hosting/streaming platform **AVideo**, tracked as **CVE-2026-29058**. The flaw affects versions **prior to 7.0** (including **6.0**) and allows remote attackers to execute arbitrary operating system commands on the server without user interaction or prior privileges, creating a path to **full server compromise**, **data exfiltration** (e.g., configuration secrets, internal keys, credentials), and **service disruption**. The issue stems from `objects/getImage.php`, where attacker-controlled input in the `base64Url` GET parameter is Base64-decoded and incorporated into a double-quoted `ffmpeg` shell command without proper escaping/neutralization of shell metacharacters and command substitution (CWE-78). The vulnerability was reported by security researcher **Arkmarta**, and remediation is available by upgrading to **AVideo 7.0 or later**, which includes the official patch.
1 months ago