{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33502/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33502","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is affected by a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33502) in versions up to and including 26.0. The vulnerability exists within the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e file. An attacker can exploit this flaw to force the AVideo server to make HTTP requests to arbitrary URLs.  Successful exploitation allows attackers to probe internal network services, potentially accessing sensitive internal HTTP resources, cloud metadata endpoints, and other protected assets. The patch for this vulnerability is included in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. This vulnerability poses a significant risk, as it does not require authentication and can lead to the exposure of sensitive information and potential compromise of internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL parameter pointing to an internal resource (e.g., \u003ccode\u003ehttp://localhost/admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AVideo server, without proper validation, processes the request and sends an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe server receives the HTTP response from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe server may return the content of the internal resource to the attacker, depending on the AVideo application logic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the returned content, potentially gaining access to sensitive information like configuration files, API keys, or internal service endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed information to further compromise the AVideo instance or the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-33502) can lead to the exposure of sensitive internal resources, including configuration files, API keys, and cloud metadata.  This can enable attackers to gain unauthorized access to internal systems, escalate privileges, and potentially compromise the entire infrastructure. The number of affected AVideo instances is currently unknown, but given its open-source nature, it is potentially widespread across various sectors. A successful attack can lead to data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a patched version containing commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 to remediate CVE-2026-33502.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo SSRF Attempt via plugin Live Test\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to internal resources and mitigate the impact of successful SSRF exploitation.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for suspicious requests to \u003ccode\u003eplugin/Live/test.php\u003c/code\u003e with unusual URL parameters (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T17:16:51Z","date_published":"2026-03-23T17:16:51Z","id":"/briefs/2024-01-24-avideo-ssrf/","summary":"AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.","title":"AVideo Unauthenticated Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33502","version":"https://jsonfeed.org/version/1.1"}