#VU125444 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33237
Published: April 8, 2026
Vulnerability identifier: #VU125444
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33237
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in the Scheduler plugin run() function in plugin/Scheduler/Scheduler.php when processing an admin-configurable callbackURL. A remote privileged user can configure a scheduled task with a crafted callbackURL and trigger execution to disclose sensitive information.
The issue can be used to access internal APIs and cloud metadata endpoints, and the response is stored in the scheduler execution log.
Remediation
Install security update from vendor's website.