CVE-2026-33502: AVideo has Unauthenticated SSRF via plugin/Live/test.php

March 20, 2026 (updated March 25, 2026)

An unauthenticated server-side request forgery vulnerability in plugin/Live/test.php allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
github.com/advisories/GHSA-3fpm-8rjr-v5mc
nvd.nist.gov/vuln/detail/CVE-2026-33502

Code Behaviors & Features

Detect and mitigate CVE-2026-33502 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →