CVE-2026-33237
- Source
- https://cve.org/CVERecord?id=CVE-2026-33237
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33237.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33237
- Aliases
- Published
- 2026-03-20T23:30:04.209Z
- Modified
- 2026-04-10T05:42:39.754546Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
- Details
-
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's
run()function inplugin/Scheduler/Scheduler.phpcallsurl_get_contents()with an admin-configurablecallbackURLthat is validated only byisValidURL()(URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed throughisSSRFSafeURL(), which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal networkcallbackURLto perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33237.json" }- References
Affected packages
Git / github.com/wwbn/avideo
Affected ranges
- Type
- GIT
- Repo
- https://github.com/wwbn/avideo
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed