{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33294", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.427Z", "datePublished": "2026-03-22T16:58:09.664Z", "dateUpdated": "2026-03-25T13:50:25.707Z"}, "containers": {"cna": {"title": "AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"}, {"name": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:58:09.664Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."}], "source": {"advisory": "GHSA-66cw-h2mj-j39p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:50:07.643775Z", "id": "CVE-2026-33294", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:50:25.707Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33294", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.427Z", "datePublished": "2026-03-22T16:58:09.664Z", "dateUpdated": "2026-03-25T13:50:25.707Z"}, "containers": {"cna": {"title": "AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"}, {"name": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:58:09.664Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."}], "source": {"advisory": "GHSA-66cw-h2mj-j39p", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33294", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:50:07.643775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:50:22.378Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de guardado del plugin BulkEmbed ('plugin/BulkEmbed/save.json.php') obtiene URLs de miniaturas proporcionadas por el usuario a trav\u00e9s de 'url_get_contents()' sin protecci\u00f3n SSRF. A diferencia de los otros seis endpoints de obtenci\u00f3n de URLs en AVideo que fueron reforzados con 'isSSRFSafeURL()', esta ruta de c\u00f3digo fue omitida. Un atacante autenticado puede forzar al servidor a realizar solicitudes HTTP a recursos de red internos y recuperar las respuestas al ver la miniatura del video guardado. La versi\u00f3n 26.0 corrige el problema."}], "id": "CVE-2026-33294", "lastModified": "2026-03-24T21:14:36.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-22T17:17:09.100", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T22:23:04.916708+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version 26.0 or later where the BulkEmbed thumbnail fetch is hardened.", "If an upgrade is not immediately possible, disable or remove the BulkEmbed plugin until the patch is applied.", "Restrict the server\u2019s outbound network access from the web application to the necessary public endpoints, blocking internal network ranges."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via SSRF"}, "threat_synthesis": {"affected_systems": "Affecting the WWBN AVideo open\u2011source video platform, specifically all releases prior to version 26.0. The vulnerable code exists in the BulkEmbed plugin accessed via plugin/BulkEmbed/save.json.php. Applications running these versions that have the BulkEmbed feature enabled and logged\u2011in user accounts are susceptible. Version 26.0 contains a fix that hardens the URL fetch call.\n", "description_and_impact": "The vulnerability resides in the BulkEmbed plugin\u2019s save endpoint, which retrieves thumbnail images from user\u2011supplied URLs through a raw HTTP request function. This path lacks SSRF checks that are present in other similar endpoints. An attacker that is logged into the system can supply an internal or private network address; the server will fetch the content at that address and return it as part of the thumbnail view, providing the attacker with access to otherwise restricted internal resources. The weakness is a classic Server\u2011Side Request Forgery, classified as CWE\u2011918, and does not provide remote code execution but exposes sensitive internal data.\n", "risk_and_exploitability": "The CVSS score of 5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of automated exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate authentication, but user\u2011level accounts are sufficient to trigger the fetch. Once triggered, the attacker can read any internal resource reachable from the server, potentially exposing internal services, configuration data, or sensitive content. The attack vector is an authenticated web application request, so defenders should prioritize fixing the missing SSRF protection.\n"}}}}, "created": "2026-03-23T09:45:52.935667+00:00", "updated": "2026-03-25T14:50:27.652043+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}