{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/avideo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41058"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2026-41058","avideo","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the \u003ccode\u003edeleteDump\u003c/code\u003e parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting \u003ccode\u003e../../\u003c/code\u003e sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) into the \u003ccode\u003edeleteDump\u003c/code\u003e parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe AVideo application fails to properly sanitize the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called with the attacker-controlled path, allowing deletion of arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the vulnerability to delete critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe application or server becomes unstable or inoperable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences in the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the CloneSite functionality and the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-avideo-path-traversal/","summary":"WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.","title":"WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-41055"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","cve-2026-41055"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to Server-Side Request Forgery (SSRF) in versions 29.0 and below. The vulnerability, identified as CVE-2026-41055, stems from an incomplete fix in the LiveLinks proxy. While the fix introduced \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e validation, it fails to address Time-of-Check Time-of-Use (TOCTOU) vulnerabilities related to DNS rebinding. This flaw allows attackers to bypass the intended SSRF protection by manipulating DNS responses between the validation check and the actual HTTP request, potentially redirecting traffic to internal, sensitive endpoints. The vulnerability can be remediated by applying the updated fix found in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8. Exploitation could lead to information disclosure or unauthorized access to internal services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 29.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL targeting the AVideo LiveLinks proxy feature.\u003c/li\u003e\n\u003cli\u003eThe malicious URL is designed to leverage DNS rebinding techniques.\u003c/li\u003e\n\u003cli\u003eThe AVideo server first validates the URL using \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e, which initially resolves to a safe, external IP address.\u003c/li\u003e\n\u003cli\u003eAfter validation, but before the HTTP request is made, the DNS record for the malicious URL is altered to point to an internal IP address.\u003c/li\u003e\n\u003cli\u003eThe AVideo server, due to the TOCTOU vulnerability, now makes an HTTP request to the attacker-controlled internal IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal resources or services through the AVideo server.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or pivots to other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-41055) in WWBN AVideo could allow attackers to access sensitive internal resources that are not intended to be exposed to the public internet. An attacker could potentially read internal configuration files, access databases, or even execute commands on internal systems, depending on the exposed services. The specific impact will vary depending on the organization\u0026rsquo;s internal network configuration and the services running behind the AVideo server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WWBN AVideo to a version containing the complete SSRF fix, referencing commit 8d8fc0cadb425835b4861036d589abcea4d78ee8.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF vulnerabilities by restricting access from the AVideo server to only necessary internal resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious AVideo SSRF Attempt\u003c/code\u003e to detect potential exploitation attempts via web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound connections from the AVideo server to internal IP addresses based on the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-wwbn-avideo-ssrf/","summary":"WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix in the LiveLinks proxy, potentially allowing attackers to redirect traffic to internal endpoints.","title":"WWBN AVideo SSRF Vulnerability (CVE-2026-41055)","url":"https://feed.craftedsignal.io/briefs/2026-04-wwbn-avideo-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-41064"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-41064","avideo","rce","command-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to an unauthenticated remote code execution (RCE) flaw. This vulnerability, identified as CVE-2026-41064, exists in versions up to and including 29.0. The root cause is an incomplete fix applied to the \u003ccode\u003etest.php\u003c/code\u003e file. While the fix implemented \u003ccode\u003eescapeshellarg\u003c/code\u003e for the \u003ccode\u003ewget\u003c/code\u003e command, it neglected to sanitize input for the \u003ccode\u003efile_get_contents\u003c/code\u003e and \u003ccode\u003ecurl\u003c/code\u003e code paths. Additionally, the URL validation regex \u003ccode\u003e/^http/\u003c/code\u003e is overly permissive, accepting malicious strings such as \u003ccode\u003ehttpevil[.]com\u003c/code\u003e. Successful exploitation allows attackers to execute arbitrary commands on the server hosting the AVideo platform. The recommended remediation is to apply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted HTTP request to the \u003ccode\u003etest.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious URL, designed to exploit the insufficient input validation in the \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e code paths. For example, using \u003ccode\u003ehttpevil[.]com\u003c/code\u003e to bypass the regex check \u003ccode\u003e/^http/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etest.php\u003c/code\u003e script processes the request, attempting to retrieve content from the attacker-controlled URL using either \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper sanitization, the malicious URL is interpreted as an OS command.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied OS command.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities, such as installing malware, stealing sensitive data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41064) grants unauthenticated attackers the ability to execute arbitrary code on the affected AVideo server. This can lead to complete compromise of the server, including data theft, defacement, or use as a staging ground for further attacks. Given the platform\u0026rsquo;s use in video hosting, successful attacks could impact numerous users and content creators relying on the vulnerable AVideo instance. The vulnerable regex \u003ccode\u003e/^http/\u003c/code\u003e and unsanitized functions leave the server open to mass exploitation if exposed to the public internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 to fully address the input validation issue in \u003ccode\u003etest.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AVideo test.php Command Injection Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003etest.php\u003c/code\u003e containing suspicious URLs, especially those matching the \u003ccode\u003ehttpevil[.]com\u003c/code\u003e pattern as documented in the IOCs.\u003c/li\u003e\n\u003cli\u003eImplement a more robust URL validation mechanism that properly sanitizes input before passing it to \u003ccode\u003efile_get_contents\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T00:16:28Z","date_published":"2026-04-22T00:16:28Z","id":"/briefs/2026-04-avideo-rce/","summary":"WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.","title":"WWBN AVideo Unauthenticated Remote Code Execution via test.php","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-27732"},{"cvss":7.1,"id":"CVE-2026-39370"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","cve-2026-39370"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, a video-sharing platform, is susceptible to Server-Side Request Forgery (SSRF) vulnerability due to an incomplete patch for CVE-2026-27732. The vulnerability exists in the \u003ccode\u003eobjects/aVideoEncoder.json.php\u003c/code\u003e script. An authenticated uploader can provide a malicious \u003ccode\u003edownloadURL\u003c/code\u003e containing a common media extension like \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, or \u003ccode\u003e.zip\u003c/code\u003e, bypassing SSRF validation. This allows the attacker to force the server to fetch internal resources. The server fetches the specified URL using \u003ccode\u003eurl_get_contents()\u003c/code\u003e, stores the response as media content, and makes it accessible through the \u003ccode\u003e/videos/...\u003c/code\u003e endpoint. This vulnerability, identified as CVE-2026-39370, affects AVideo versions 26.0 and earlier. Exploitation enables exfiltration of sensitive data from internal APIs and services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs in as a low-privilege authenticated user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003edownloadURL\u003c/code\u003e pointing to an internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:9998/probe.mp4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e with the \u003ccode\u003edownloadURL\u003c/code\u003e and a valid \u003ccode\u003eformat\u003c/code\u003e parameter (e.g., \u003ccode\u003emp4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAVideo\u0026rsquo;s \u003ccode\u003edownloadVideoFromDownloadURL()\u003c/code\u003e function extracts the extension and incorrectly skips \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e validation due to the allowlisted extension.\u003c/li\u003e\n\u003cli\u003eThe server fetches the content from the attacker-controlled \u003ccode\u003edownloadURL\u003c/code\u003e using \u003ccode\u003eurl_get_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe fetched content is written into video storage.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the media metadata using \u003ccode\u003eGET /objects/videos.json.php?showAll=1\u003c/code\u003e to obtain the \u003ccode\u003evideosURL.mp4.url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the media URL and recovers the content from the internal resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated uploader to force the AVideo server to fetch internal resources and persist the response as media content. This Server-Side Request Forgery (SSRF) vulnerability allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host. The number of potential victims is related to the installations of AVideo with versions less than or equal to 26.0, and the sectors primarily affected are likely media and entertainment, as well as organizations utilizing AVideo for internal video hosting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e to all \u003ccode\u003edownloadURL\u003c/code\u003e inputs in \u003ccode\u003eobjects/aVideoEncoder.json.php\u003c/code\u003e, regardless of file extension to remediate CVE-2026-39370.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AVideo SSRF Attempt via DownloadURL\u0026rdquo; to identify potential exploitation attempts based on requests to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict upload-by-URL functionality to an explicit allowlist of trusted fetch origins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:08:47Z","date_published":"2026-04-08T00:08:47Z","id":"/briefs/2026-04-avideo-ssrf/","summary":"WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.","title":"WWBN AVideo SSRF Vulnerability via Incomplete CVE-2026-27732 Fix","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33512","avideo","improper-authentication","api-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions up to and including 26.0 are vulnerable to an improper authentication issue within the API plugin. The \u003ccode\u003edecryptString\u003c/code\u003e action, intended for internal decryption processes, is exposed without any authentication requirements. Attackers can exploit this vulnerability to submit ciphertext, which is publicly accessible through endpoints like \u003ccode\u003eview/url2Embed.json.php\u003c/code\u003e, and receive the corresponding plaintext. Successful exploitation allows…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-avideo-decryptstring/","summary":"WWBN AVideo, up to version 26.0, contains an improper authentication vulnerability (CVE-2026-33512) in the API plugin's `decryptString` action, allowing unauthenticated users to decrypt publicly accessible ciphertext and potentially recover protected tokens/metadata.","title":"WWBN AVideo Unauthenticated decryptString Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-avideo-decryptstring/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["avideo","sqli","cve-2026-33723","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33723) affecting versions up to and including 26.0. The vulnerability resides within the \u003ccode\u003eSubscribe::save()\u003c/code\u003e method located in \u003ccode\u003eobjects/subscribe.php\u003c/code\u003e. The application directly concatenates the \u003ccode\u003e$this-\u0026gt;users_id\u003c/code\u003e property into an INSERT SQL query without proper sanitization or parameterized binding. This property originates from the \u003ccode\u003e$_POST['user_id']\u003c/code\u003e parameter in both…\u003c/p\u003e\n","date_modified":"2026-03-23T19:16:42Z","date_published":"2026-03-23T19:16:42Z","id":"/briefs/2024-05-avideo-sqli/","summary":"WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.","title":"WWBN AVideo SQL Injection Vulnerability (CVE-2026-33723)","url":"https://feed.craftedsignal.io/briefs/2024-05-avideo-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["avideo","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to a privilege escalation flaw. Specifically, AVideo versions up to and including 26.0, a user with \u0026ldquo;Videos Moderator\u0026rdquo; permissions can perform unauthorized video management operations. The vulnerability stems from the inconsistent authorization checks within the platform\u0026rsquo;s code. While the \u0026ldquo;Videos Moderator\u0026rdquo; permission is intended to only permit changes to video publicity (Active, Inactive, Unlisted), the flaw allows for full video editing operations, including ownership transfer and video deletion. This vulnerability was patched in commit 838e16818c793779406ecbf34ebaeba9830e33f8. Successful exploitation of this flaw could lead to data loss and unauthorized content manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a legitimate \u0026ldquo;Videos Moderator\u0026rdquo; account on the AVideo platform.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003ePermissions::canModerateVideos()\u003c/code\u003e function within \u003ccode\u003evideoAddNew.json.php\u003c/code\u003e to initiate video editing operations beyond the intended scope of the moderator role.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ownership of a target video, transferring it to an account controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker, now the owner of the target video, bypasses the intended authorization controls within the \u003ccode\u003evideoDelete.json.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003evideoDelete.json.php\u003c/code\u003e script to delete the video.\u003c/li\u003e\n\u003cli\u003eThe platform deletes the video, due to the successful ownership transfer and the insufficient permission checks in the delete function.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to delete any video on the platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with limited \u0026ldquo;Videos Moderator\u0026rdquo; privileges to escalate their access and perform unauthorized video management operations. This can lead to the deletion of arbitrary videos on the platform, resulting in data loss, service disruption, and potential reputational damage. The number of affected installations is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 838e16818c793779406ecbf34ebaeba9830e33f8 to address the vulnerability in AVideo (CVE-2026-33650).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003evideoAddNew.json.php\u003c/code\u003e and \u003ccode\u003evideoDelete.json.php\u003c/code\u003e originating from \u0026ldquo;Videos Moderator\u0026rdquo; accounts, looking for anomalous activity (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter authorization controls for video management operations within the AVideo platform to prevent privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:16:41Z","date_published":"2026-03-23T19:16:41Z","id":"/briefs/2024-01-22-avideo-privilege-escalation/","summary":"WWBN AVideo platform versions up to 26.0 allows a 'Videos Moderator' to escalate privileges and perform unauthorized video management operations due to inconsistent authorization checks.","title":"WWBN AVideo Privilege Escalation via Moderator Account","url":"https://feed.craftedsignal.io/briefs/2024-01-22-avideo-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33502","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is affected by a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33502) in versions up to and including 26.0. The vulnerability exists within the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e file. An attacker can exploit this flaw to force the AVideo server to make HTTP requests to arbitrary URLs.  Successful exploitation allows attackers to probe internal network services, potentially accessing sensitive internal HTTP resources, cloud metadata endpoints, and other protected assets. The patch for this vulnerability is included in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. This vulnerability poses a significant risk, as it does not require authentication and can lead to the exposure of sensitive information and potential compromise of internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL parameter pointing to an internal resource (e.g., \u003ccode\u003ehttp://localhost/admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AVideo server, without proper validation, processes the request and sends an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe server receives the HTTP response from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe server may return the content of the internal resource to the attacker, depending on the AVideo application logic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the returned content, potentially gaining access to sensitive information like configuration files, API keys, or internal service endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed information to further compromise the AVideo instance or the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-33502) can lead to the exposure of sensitive internal resources, including configuration files, API keys, and cloud metadata.  This can enable attackers to gain unauthorized access to internal systems, escalate privileges, and potentially compromise the entire infrastructure. The number of affected AVideo instances is currently unknown, but given its open-source nature, it is potentially widespread across various sectors. A successful attack can lead to data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a patched version containing commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 to remediate CVE-2026-33502.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo SSRF Attempt via plugin Live Test\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to internal resources and mitigate the impact of successful SSRF exploitation.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for suspicious requests to \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e with unusual URL parameters (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T17:16:51Z","date_published":"2026-03-23T17:16:51Z","id":"/briefs/2024-01-24-avideo-ssrf/","summary":"AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.","title":"AVideo Unauthenticated Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-avideo-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["avideo","file-access","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to unauthorized file access and deletion in versions up to and including 26.0. The vulnerability resides in the \u003ccode\u003eobjects/import.json.php\u003c/code\u003e endpoint, which lacks proper directory restriction on the user-controlled \u003ccode\u003efileURI\u003c/code\u003e POST parameter. This allows an authenticated user with upload permissions to bypass intended security measures and access or delete files outside of their authorized scope. The vulnerability was addressed in commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78. This vulnerability allows for the potential compromise of sensitive video content and adjacent data. Exploitation can lead to data theft and potential data loss. Defenders should prioritize patching and monitoring for suspicious activity targeting this endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the AVideo platform with a valid user account that possesses upload permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eobjects/import.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003efileURI\u003c/code\u003e parameter, which is set to a path pointing to a target video file or adjacent text file outside the user\u0026rsquo;s designated directory.\u003c/li\u003e\n\u003cli\u003eThe server-side code processes the request without performing adequate directory restriction checks on the \u003ccode\u003efileURI\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the target is a video file, the server imports the video file into the attacker\u0026rsquo;s account, allowing the attacker to steal private video files.\u003c/li\u003e\n\u003cli\u003eIf the target is a readable text file adjacent to a video, the attacker can access its contents via the import mechanism.\u003c/li\u003e\n\u003cli\u003eIf the targeted file (either video or adjacent text file) is writable by the web server process, the attacker can trigger its deletion by including the appropriate parameters in the crafted request.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates the stolen video data or sensitive information from accessed files, or causes data loss due to file deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. An attacker can steal private video files belonging to other users, resulting in a breach of confidentiality and potential reputational damage. The ability to read adjacent \u003ccode\u003e.txt\u003c/code\u003e/\u003ccode\u003e.html\u003c/code\u003e/\u003ccode\u003e.htm\u003c/code\u003e files can expose sensitive information, such as configuration files or credentials. Furthermore, the capability to delete \u003ccode\u003e.mp4\u003c/code\u003e files and adjacent text files can cause data loss and disruption of service. The number of affected users depends on the specific deployment and the number of users with private video content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 to remediate CVE-2026-33493.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your web server logs to detect attempts to access arbitrary files using the \u003ccode\u003efileURI\u003c/code\u003e parameter in requests to \u003ccode\u003eobjects/import.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns, particularly requests to \u003ccode\u003eobjects/import.json.php\u003c/code\u003e with \u003ccode\u003efileURI\u003c/code\u003e parameters containing directory traversal sequences like \u0026ldquo;../\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T16:16:49Z","date_published":"2026-03-23T16:16:49Z","id":"/briefs/2024-01-avideo-file-access/","summary":"WWBN AVideo platform versions up to 26.0 are vulnerable to unauthorized file access and deletion, where an authenticated user with upload permissions can exploit the `objects/import.json.php` endpoint by manipulating the `fileURI` parameter to steal private video files, read adjacent text files, and delete `.mp4` and other writable files on the filesystem.","title":"WWBN AVideo Unauthorized File Access and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Avideo","version":"https://jsonfeed.org/version/1.1"}