Main Vulnerability Database Vulnerabilities #VU125452

Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33294

Published: April 8, 2026

Vulnerability identifier: #VU125452

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33294

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information from internal network resources.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/BulkEmbed/save.json.php when fetching user-supplied thumbnail URLs. A remote user can send a specially crafted save request with an internal URL to disclose sensitive information from internal network resources.

The HTTP response body is saved as the video thumbnail and can be retrieved by viewing the saved poster image, resulting in a scope change into internal network or cloud metadata resources.

How to mitigate CVE-2026-33294

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p

Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33294

Detailed vulnerability description

How to mitigate CVE-2026-33294

Sources

Please verify you're human