CVE-2026-33502 is a critical SSRF vulnerability identified in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The flaw exists in the `plugin/Live/test.php` script, which improperly handles user-supplied URLs, allowing unauthenticated remote attackers to coerce the server into making HTTP requests to arbitrary destinations. This can be exploited to probe internal network services, access localhost endpoints, or retrieve sensitive data from cloud metadata services, which often contain credentials or configuration details. The vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely. The SSRF can lead to confidentiality breaches by exposing internal resources and potentially enabling further attacks such as lateral movement or privilege escalation. The issue was addressed in a patch committed under the identifier 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. The CVSS v3.1 base score is 9.3, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change that impacts confidentiality highly and integrity moderately. No known exploits in the wild have been reported yet, but the ease of exploitation and impact make it a high-priority vulnerability for affected organizations to remediate.

The SSRF vulnerability in WWBN AVideo can have severe consequences for organizations worldwide. Attackers can leverage this flaw to access internal services that are otherwise inaccessible from the internet, including administrative interfaces, databases, or cloud metadata endpoints that may contain sensitive credentials. This can lead to unauthorized data disclosure, compromise of internal network infrastructure, and potential pivoting to other systems within the environment. The breach of cloud metadata services is particularly dangerous as it may allow attackers to obtain cloud instance credentials, enabling further compromise of cloud resources. The vulnerability's unauthenticated nature and lack of user interaction requirements increase the likelihood of exploitation. Organizations relying on WWBN AVideo for video streaming or content delivery may face data breaches, service disruptions, and reputational damage if exploited. Additionally, the scope of affected systems is broad since the vulnerability affects all versions up to 26.0, potentially impacting many deployments globally.

To mitigate CVE-2026-33502, organizations should immediately update WWBN AVideo to a version beyond 26.0 that includes the patch (commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3). If immediate patching is not feasible, implement network-level controls to restrict outbound HTTP requests from the AVideo server, especially to internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254 for AWS). Employ strict egress filtering and monitoring to detect anomalous outbound requests indicative of SSRF exploitation attempts. Additionally, review and harden internal services to require authentication and minimize exposure. Application-level input validation and sanitization should be enhanced to prevent injection of arbitrary URLs. Logging and alerting on unusual request patterns to internal resources can help detect exploitation attempts early. Finally, conduct security assessments and penetration testing focused on SSRF vectors to ensure no residual vulnerabilities remain.