CVE-2026-33351 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WWBN AVideo open-source video platform, specifically affecting versions prior to 26.0. The flaw exists in the `plugin/Live/standAloneFiles/saveDVR.json.php` file when the Live plugin is deployed in standalone mode, which is the intended configuration for this file. The vulnerability stems from the unsanitized use of the `$_REQUEST['webSiteRootURL']` parameter to construct a URL that the server fetches using PHP's `file_get_contents()` function. Because there is no authentication, origin validation, or URL allowlisting, an attacker can supply arbitrary URLs, causing the server to make HTTP requests to internal or external systems. This can be exploited to access internal network services that are otherwise inaccessible externally, potentially leading to information disclosure, unauthorized internal network scanning, or leveraging the server as a proxy for further attacks. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and has a CVSS v3.1 base score of 9.1, reflecting its critical nature due to the ease of exploitation (no privileges or user interaction required) and the high impact on confidentiality and integrity. The vendor has addressed the issue in version 26.0 by implementing appropriate validation or restrictions on the `webSiteRootURL` parameter. No public exploits have been reported yet, but the severity and simplicity of exploitation make it a significant risk for affected deployments.

The impact of this SSRF vulnerability is substantial for organizations using WWBN AVideo versions prior to 26.0, especially those deploying the Live plugin in standalone mode. Attackers can exploit this flaw to make arbitrary HTTP requests from the vulnerable server, potentially accessing sensitive internal services, metadata endpoints, or administrative interfaces that are not exposed externally. This can lead to unauthorized data disclosure, internal network reconnaissance, and may serve as a pivot point for further attacks within the network. The integrity of the system can also be compromised if attackers leverage SSRF to interact with internal APIs or services that perform critical operations. Although availability impact is low, the breach of confidentiality and integrity can result in significant operational and reputational damage. Given the high CVSS score and lack of required authentication, the vulnerability poses a critical risk to organizations relying on this platform, particularly those hosting sensitive video content or operating in regulated industries.

To mitigate this vulnerability, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the issue is patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the `webSiteRootURL` parameter to ensure only trusted URLs are accepted. Employ URL allowlisting to restrict requests to known safe domains. Network-level controls such as firewall rules should be configured to prevent the server from making unauthorized outbound HTTP requests, especially to internal IP ranges or sensitive services. Monitoring and logging outbound requests from the server can help detect suspicious SSRF exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) with SSRF detection capabilities to block malicious requests. Regular security assessments and code reviews of plugins and customizations can help identify similar vulnerabilities proactively.