CVE-2026-33237

WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-21 00:16

Updated : 2026-03-23 19:33

NVD link : CVE-2026-33237

Mitre link : CVE-2026-33237

CVE.ORG link : CVE-2026-33237

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-33237", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.2}]}, "published": "2026-03-21T00:16:26.523", "references": [{"url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, la funci\u00f3n 'run()' del plugin Scheduler en 'plugin/Scheduler/Scheduler.php' llama a 'url_get_contents()' con una 'callbackURL' configurable por el administrador que es validada \u00fanicamente por 'isValidURL()' (verificaci\u00f3n de formato de URL). A diferencia de otros endpoints de AVideo que fueron recientemente parcheados para SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), la URL de callback del Scheduler nunca pasa por 'isSSRFSafeURL()', que bloquea las solicitudes a direcciones privadas RFC-1918, loopback y endpoints de metadatos en la nube. Un administrador puede configurar una tarea programada con una 'callbackURL' de red interna para realizar SSRF contra servicios de metadatos de infraestructura en la nube o APIs internas no accesibles de otra manera desde internet. La versi\u00f3n 26.0 contiene un parche para el problema."}], "lastModified": "2026-03-23T19:33:38.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}