Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **What is this vulnerability?**  *   **Essence:** Server-Side Request Forgery (SSRF) in WWBN AVideo. *   **Flaw:** The file `plugin/Live/standAloneFiles/saveDVR.json.php` is vulnerable. *   **Consequence:** Unverified …

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause? (CWE/Flaw)**  *   **CWE ID:** CWE-918 (SSRF). *   **Technical Flaw:** Lack of input validation on `webSiteRootURL`. *   **Mechanism:** User-controlled input is blindly passed to server-side HTTP requests…

Question 3

Who is affected? (Versions/Components)

Accepted Answer

👥 **Who is affected? (Versions/Components)**  *   **Vendor:** WWBN. *   **Product:** AVideo (PHP-based video platform). *   **Affected Versions:** **Before 26.0**. *   **Specific File:** `plugin/Live/standAloneFiles/save…

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

💣 **What can hackers do? (Privileges/Data)**  *   **Data Access:** Read internal server files or sensitive data (C:H). *   **Integrity:** Modify internal server responses or data (I:H). *   **Network:** Probe internal ne…

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

🔓 **Is exploitation threshold high? (Auth/Config)**  *   **Auth Required:** **NO** (PR:N - Privileges Required: None). *   **User Interaction:** **NO** (UI:N - User Interaction: None). *   **Attack Vector:** Network (AV:…

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

🧪 **Is there a public Exp? (PoC/Wild Exploitation)**  *   **PoC Status:** No public PoC listed in data (`pocs: []`). *   **References:** GitHub Advisory (GHSA-5f7v-4f6g-74rj) and Commit exist. *   **Wild Exploitation:** …

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **How to self-check? (Features/Scanning)**  *   **Target URL:** Look for `plugin/Live/standAloneFiles/saveDVR.json.php`. *   **Parameter:** Check for `webSiteRootURL` in requests. *   **Scanner:** Use SSRF scanners tar…

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

🩹 **Is it fixed officially? (Patch/Mitigation)**  *   **Fix Available:** **YES**. *   **Version:** Upgrade to **AVideo 26.0** or later. *   **Commit:** Fix committed at `d0c54960389eeb85e76caed5a257ae90e6a739f2`. *   **A…

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **What if no patch? (Workaround)**  *   **Input Validation:** Manually sanitize `webSiteRootURL` in the vulnerable file. *   **Access Control:** Restrict access to `plugin/Live/` directory via WAF/Nginx. *   **Network …

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

⚡ **Is it urgent? (Priority Suggestion)**  *   **Priority:** **HIGH**. *   **Reason:** Remote, unauthenticated, low complexity. *   **CVSS Score:** High impact on Confidentiality/Integrity. *   **Action:** Patch immediat…

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-33351 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring