Ddos 
AVideo, a popular streaming platform used by creators and businesses to manage and monetize video content, is facing a severe security crisis. Researchers have identified five critical vulnerabilities—with CVSS scores reaching a maximum of 10.0—that allow unauthenticated attackers to hijack live streams, steal entire databases, and execute arbitrary code on the server.
Currently, there are no patched versions available for these flaws, leaving all deployments up to version 26.0 highy vulnerable.
CVE-2026-33478 (CVSS 10): Multi-Chain Remote Code Execution
The most dangerous of the bunch is a “chain” attack within the CloneSite plugin. An attacker can start by grabbing secret keys without any password. This acts as a master key to dump the entire database—including your emails and password hashes. Because the passwords use an outdated “MD5” format, they can be easily cracked. Once the attacker logs in as an admin, they can use the server’s own synchronization tools to run any command they want, effectively taking over the entire machine.
CVE-2026-33352 (CVSS 9.8): SQL Injection
A flaw in how the platform handles the doNotShowCats parameter allows hackers to bypass security filters. By using a simple backslash (\), they can trick the database into revealing its contents. Attackers gain full read access to user credentials, private video metadata, and API secrets. On some servers, hackers could write a “web shell” to the system, granting them permanent remote control.
CVE-2026-33716 (CVSS 9.4): Live Stream Control
Live streamers are particularly at risk. A vulnerability in the control.json.php file allows an outsider to redirect the server’s authentication checks to a fake server.
An unauthenticated attacker can instantly kill a live broadcast, start unauthorized recordings of private streams, or probe for hidden stream names.
CVE-2026-33351 (CVSS 9.1): Bypassing the DVR Lock: SSRF & Token Bypass
In another blow to live features, the saveDVR.json.php file contains a flaw where it trusts a user-supplied URL to verify tokens. By pointing the server to their own malicious site, an attacker can bypass all authentication checks for DVR functions. It also allows for “Server-Side Request Forgery” (SSRF), where the attacker uses the AVideo server to attack other internal systems or cloud services.
CVE-2026-33502 (CVSS 9.3): SSRF via Test Scripts
A test file left in the live plugin (plugin/Live/test.php) can be used by anyone on the internet to make the server send requests to internal network services. This “internal spy” can map out a company’s private network, find open ports, and even steal sensitive metadata from cloud providers.
How to Stay Safe
Since no official update is available yet, administrators are urged to take manual action immediately:
- Remove Dangerous Files: Delete plugin/Live/test.php and restrict access to the CloneSite plugin.
- Update Passwords: If possible, upgrade password hashing from MD5 to a more secure format like Bcrypt.
- Harden Code: Apply “parameterized queries” to fix SQL injection and use escapeshellarg() on all system commands to prevent malicious injections.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
