CVE-2026-33039 — Server-Side Request Forgery in Avideo

CWE-918 — Server-Side Request Forgery5 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.0%

top 97.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 20

Latest updateApr 14

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo25.0+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF↗2026-04-14

▶

OSV

AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy↗2026-03-17

▶

GHSA

AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33039 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶