Multiple Critical AVideo Flaws Enable Takeover, Session Hijacking, and SSRF
WWBN AVideo was found to contain multiple high-severity vulnerabilities that can let attackers seize control of deployments, hijack user sessions, and access internal network resources. On uninitialized instances running version 25.0 or earlier, install/checkConfiguration.php could be abused without authentication to complete setup, create an administrator account, and write configuration files, enabling full application takeover under CVE-2026-33038. Separate insecure defaults in the official Docker deployment path, tracked as CVE-2026-33037, left new installations exposed to immediate administrative compromise because the admin password defaulted to "password" and database credentials defaulted to avideo/avideo, with no forced password change or effective hardening.
AVideo also exposed users and infrastructure through web-facing flaws in session handling and URL fetching. Under CVE-2026-33043, /objects/phpsessionid.json.php disclosed active PHP session IDs to unauthenticated requests, and permissive CORS behavior could allow cross-origin session theft and account takeover. Two SSRF issues affected the unauthenticated plugin/LiveLinks/proxy.php endpoint: CVE-2026-33039 allowed redirect-based bypass of URL safety checks in version 25.0 and earlier, while CVE-2026-33480 showed that isSSRFSafeURL() could also be bypassed with IPv4-mapped IPv6 addresses, extending exposure through version 26.0 and enabling access to localhost, RFC1918 networks, and cloud metadata services. WWBN issued fixes in AVideo 26.0 for most of the disclosed flaws, with an additional patch published for the IPv6-based SSRF bypass.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-33480 is publicly disclosed
On 2026-03-23, a public vulnerability record disclosed CVE-2026-33480, an SSRF protection bypass in AVideo's unauthenticated LiveLinks proxy using IPv4-mapped IPv6 addresses. The disclosure notes the issue affected versions up to and including 26.0.
AVideo SSRF bypass via IPv4-mapped IPv6 receives a patch
A separate SSRF vulnerability affecting AVideo up to and including version 26.0 was addressed with patch commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The flaw allowed bypass of isSSRFSafeURL() using IPv4-mapped IPv6 addresses against the unauthenticated LiveLinks proxy endpoint.
Multiple AVideo CVEs are publicly disclosed
On 2026-03-20, public vulnerability records described several AVideo issues: unauthenticated installer-based takeover, redirect-based SSRF, predictable default Docker admin credentials, and unauthenticated session ID disclosure enabling hijacking. The disclosures state these issues affected AVideo 25.0 and earlier.
WWBN fixes multiple AVideo flaws in version 26.0
WWBN released AVideo version 26.0 to fix several vulnerabilities affecting version 25.0 and earlier, including unauthenticated installer takeover, redirect-based SSRF, predictable default admin credentials, and session ID disclosure with permissive CORS.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-33480 - AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
cvefeed.io
Open sourceCVE-2026-33039 - AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
cvefeed.io
Open sourceCVE-2026-33038 - AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
cvefeed.io
Open sourceCVE-2026-33037 - WWBN AVideo has predictable default admin credentials in official Docker deployment path
cvefeed.io
Open sourceCVE-2026-33043 - AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
Mar 23, 2026
AVideo CloneSite Flaws Enable File Deletion and Unauthenticated RCE
WWBN **AVideo** was found to contain multiple high-severity flaws in its `CloneSite` plugin that can be abused for destructive attacks and full server compromise. One issue, tracked as `CVE-2026-33293`, affects versions prior to **26.0** and allows arbitrary file deletion through path traversal in the `deleteDump` parameter of `plugin/CloneSite/cloneServer.json.php`. Because the value was passed directly to `unlink()` without sanitization, an attacker with valid clone credentials could use `../../` sequences to remove arbitrary files such as `configuration.php`, causing denial of service and potentially weakening other protections. A second issue, `CVE-2026-33478`, describes a broader attack chain in AVideo versions up to and including **26.0** that can lead to **unauthenticated remote code execution**. The `clones.json.php` endpoint exposed clone secret keys without authentication, which could then be used to trigger a full database dump via `cloneServer.json.php`; the dump reportedly included admin password hashes stored as **MD5**, enabling attackers to recover credentials and gain administrative access. From there, an OS command injection flaw in `cloneClient.json.php` involving `rsync` command construction could be used to execute arbitrary system commands. The vulnerabilities were mapped to `CWE-22`, `CWE-78`, and `CWE-284`, and fixes were released by WWBN, including a patch referenced in commit `c85d076375fab095a14170df7ddb27058134d38c`.
Apr 22, 2026
Unauthenticated OS Command Injection in AVideo via `base64Url` Parameter
A critical, **zero-click unauthenticated OS command injection** vulnerability was disclosed in the open-source video hosting/streaming platform **AVideo**, tracked as **CVE-2026-29058**. The flaw affects versions **prior to 7.0** (including **6.0**) and allows remote attackers to execute arbitrary operating system commands on the server without user interaction or prior privileges, creating a path to **full server compromise**, **data exfiltration** (e.g., configuration secrets, internal keys, credentials), and **service disruption**. The issue stems from `objects/getImage.php`, where attacker-controlled input in the `base64Url` GET parameter is Base64-decoded and incorporated into a double-quoted `ffmpeg` shell command without proper escaping/neutralization of shell metacharacters and command substitution (CWE-78). The vulnerability was reported by security researcher **Arkmarta**, and remediation is available by upgrading to **AVideo 7.0 or later**, which includes the official patch.
Mar 21, 2026