SB2026050467 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33237)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in the Scheduler plugin run() function in plugin/Scheduler/Scheduler.php when processing an admin-configurable callbackURL. A remote privileged user can configure a scheduled task with a crafted callbackURL and trigger execution to disclose sensitive information.

The issue can be used to access internal APIs and cloud metadata endpoints, and the response is stored in the scheduler execution log.

2) Path traversal (CVE-ID: CVE-2026-33238)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in listFiles.json.php when handling a user-supplied path parameter. A remote user can send a specially crafted POST request to disclose sensitive information.

The issue is limited to enumeration of .mp4 filenames and their full absolute filesystem paths, and no user interaction is required.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh
• https://github.com/advisories/GHSA-v467-g7g7-hhfh
• https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4
• https://github.com/advisories/GHSA-4wmm-6qxj-fpj4