CVE-2026-33766

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33766

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33766.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33766

Aliases

GHSA-f359-r3pv-2phf

Published

2026-03-27T14:31:06.272Z

Modified

2026-04-10T05:42:56.992022Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints

Details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, isSSRFSafeURL() validates URLs against private/reserved IP ranges before fetching, but url_get_contents() follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 contains a patch.

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33766.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type

GIT

Repo

https://github.com/wwbn/avideo

Events

Introduced

Last affected

aee1e11ee8d9343f87b7643e49cc32924b07979b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0"
        }
    ]
}

Affected versions

10.*

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

12.*

12.4

14.*

14.3

14.3.1

18.*

18.0

2.*

2.2

2.7

21.*

21.0

22.*

22.0

24.*

24.0

25.*

25.0

26.*

26.0

3.*

3.4

4.*

4.0

7.*

7.2

7.3

7.4

7.6

7.7

7.8

8.*

8.1

8.5

8.6

8.7

8.9

8.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33766.json"