CVE-2026-33351: AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass

March 19, 2026

A Server-Side Request Forgery (SSRF) vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the $_REQUEST['webSiteRootURL'] parameter is used directly to construct a URL that is fetched server-side via file_get_contents(). No authentication, origin validation, or URL allowlisting is performed.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj
github.com/advisories/GHSA-5f7v-4f6g-74rj
nvd.nist.gov/vuln/detail/CVE-2026-33351

Code Behaviors & Features

Detect and mitigate CVE-2026-33351 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →