CVE-2026-33294 MEDIUM

CVE-2026-33294: AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources

Vendor Wwbn
Product AVideo
Weakness CWE-918 · SSRF
Published March 22, 2026
Last update March 25, 2026
View on NVD All CVEs

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.

Key dates

02Disclosure timeline

March 22, 2026 CVE published
March 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-5538 QingdaoU OnlineJudge judge_server_heartbeat Endpoint JudgeServer.service_url server-side request forgery CVE-2025-43747 CVE-2026-25428 WordPress TS Poll plugin <= 2.5.5 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-49984 WordPress PowerPress Podcasting plugin <= 11.13.11 - Server Side Request Forgery (SSRF) Vulnerability CVE-2026-44439 LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture