CVE-2026-33766Server-Side Request Forgery in Avideo

CWE-918Server-Side Request Forgery4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 89.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
Latest updateMar 26
PublishedMar 27

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 contains a patch.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints2026-03-26
GHSA
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints2026-03-26

🕵️Threat Intelligence

1
Wiz
CVE-2026-33766 Impact, Exploitability, and Mitigation Steps | Wiz