Main Vulnerability Database Vulnerabilities #VU125452

#VU125452 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33294

Published: April 8, 2026

Vulnerability identifier: #VU125452

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33294

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to disclose sensitive information from internal network resources.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/BulkEmbed/save.json.php when fetching user-supplied thumbnail URLs. A remote user can send a specially crafted save request with an internal URL to disclose sensitive information from internal network resources.

The HTTP response body is saved as the video thumbnail and can be retrieved by viewing the saved poster image, resulting in a scope change into internal network or cloud metadata resources.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p

#VU125452 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33294

Description

Remediation

External links

Please verify you're human