SSRF in Saloon PHP and Auth Model Leak in AVideo Expose Sensitive Data
Two newly disclosed vulnerabilities expose sensitive information in widely used web application components. CVE-2026-33182 affects Saloon PHP and allows unauthenticated, network-based server-side request forgery (SSRF) that can leak API credentials and session tokens, potentially granting attackers access to integrated third-party services and enabling misuse of those external environments. The issue carries a CVSS 4.0 score of 6.6 and is described as a high-confidentiality-impact flaw, with the host application's local database remaining intact even as connected systems may be exposed.
A separate issue, CVE-2026-33501, affects the WWBN AVideo Permissions Plugin and discloses an application's internal authorization model by revealing mappings between user groups and specific plugins. Although rated lower at CVSS v3.1 5.3 and not associated with credential or personally identifiable information exposure, the flaw provides valuable reconnaissance that can help attackers identify privileged roles, map the attack surface, and support follow-on privilege escalation attempts against vulnerable authenticated extensions.
Timeline
Mar 25, 2026
CVE-2026-33182 SSRF and credential leakage vulnerability published
A report disclosed CVE-2026-33182 in Saloon PHP, describing a server-side request forgery issue that can leak API credentials and session tokens to unauthenticated remote attackers. The report noted potential downstream impact on connected third-party services and external infrastructure.
Mar 20, 2026
CVE-2026-33501 information disclosure vulnerability published
A report disclosed CVE-2026-33501 in the WWBN AVideo Permissions Plugin, describing a missing authorization flaw that exposes the application's internal authorization model and plugin-to-group mappings. The issue was characterized as a confidentiality-only weakness with reconnaissance value for follow-on attacks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
AVideo Flaws Enable Unauthenticated Takeover and SSRF on Exposed Deployments
WWBN **AVideo** versions `25.0` and earlier were found to contain two high-severity vulnerabilities that can be exploited without authentication. `CVE-2026-33038` allows full application takeover on uninitialized deployments because the exposed `install/checkConfiguration.php` endpoint can accept unauthenticated `POST` data to complete setup, create an administrator account, configure the database, and write the application's configuration file. Systems that have not yet created `videos/configuration.php` are especially at risk, as an attacker can initialize the platform with attacker-controlled credentials and infrastructure, gaining full administrative access. A second flaw, `CVE-2026-33039`, affects the `plugin/LiveLinks/proxy.php` endpoint and enables **server-side request forgery (SSRF)** through an HTTP redirect bypass. AVideo validates only the initial user-supplied URL, but does not re-validate redirect targets fetched by the proxy logic, allowing attackers to reach internal resources such as **RFC1918** addresses and cloud metadata services. Both issues were addressed in **AVideo `26.0`**, with the takeover bug classified as `CWE-306` and the SSRF bug as `CWE-918`.
1 weeks ago
Client-Side Injection Flaws Expose Sessions and Sensitive Data in AVideo and dom-sanitizer
Two newly disclosed web application flaws expose users to client-side data theft through content injection. In AVideo's **TopMenu** plugin, a stored cross-site scripting issue tracked as `GHSA-GMPC-FXG2-VCMQ` carries a CVSS 3.1 score of **6.1** and allows attackers to inject JavaScript that can read `document.cookie`, steal active session tokens, and impersonate users or administrators. Because the TopMenu component is rendered globally across the application, a malicious payload can execute for all site visitors, creating broad exposure and enabling follow-on attacks such as credential harvesting and fake login prompts. A separate issue in `rhukster/dom-sanitizer`, tracked as `GHSA-93VF-569F-22CQ`, allows **CSS injection** through SVG `style` tags and is rated **4.7** under CVSS 3.1. The flaw can be exploited remotely without authentication when a victim renders a crafted SVG in a browser, potentially disclosing the victim's IP address, browser details, exact page URL, and sensitive DOM-resident data such as CSRF tokens or partial session identifiers. While the sanitizer flaw does not directly alter server-side state or disrupt availability, both disclosures highlight how server-side handling of untrusted content can be turned into browser-based theft of session and application data.
3 weeks ago
SQL Injection Flaws Expose AVideo Data and Enable OpenSTAManager RCE
Two newly disclosed SQL injection vulnerabilities affect **WWBN AVideo Live Schedule Reminder** and the **OpenSTAManager Aggiornamenti** module, exposing organizations to severe database compromise. `CVE-2026-33651` is a blind SQL injection issue in AVideo rated **CVSS 8.1** that can let attackers exfiltrate the full database, including email addresses, personal information, and password hashes, while also modifying or deleting records through injected `UPDATE` or `DELETE` statements. Repeated time-based exploitation attempts could also degrade service performance by exhausting server connection pools. `CVE-2026-35168` affects OpenSTAManager and allows an authenticated attacker to execute arbitrary SQL with the privileges of the configured database user, undermining confidentiality, integrity, and availability. In MySQL or MariaDB deployments with broad database permissions, the flaw can enable schema changes, stored procedure tampering, and theft of sensitive financial data; where the database account has the `FILE` privilege, attackers can escalate from database access to **remote code execution** on the application server by writing arbitrary files to the host filesystem.
1 months ago