Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33237
Published: April 8, 2026
Vulnerability identifier: #VU125444
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33237
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in the Scheduler plugin run() function in plugin/Scheduler/Scheduler.php when processing an admin-configurable callbackURL. A remote privileged user can configure a scheduled task with a crafted callbackURL and trigger execution to disclose sensitive information.
The issue can be used to access internal APIs and cloud metadata endpoints, and the response is stored in the scheduler execution log.
How to mitigate CVE-2026-33237
Install security update from vendor's website.