CVE-2026-33024Server-Side Request Forgery in Avideo-encoder

CWE-918Server-Side Request Forgery1 documents1 sources
Severity
9.3CRITICALNVD
EPSS
0.1%
top 75.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo-encoder
Timeline
PublishedMar 20

Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an at

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

Patches

Patch: github.com