Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) that permits an unauthenticated attacker to trigger ffmpeg to fetch resources from internal or cloud instance metadata endpoints, enabling potential data exposure or internal enumeration
Action: Patch Now
AI Analysis

Impact

AVideo-Encoder versions earlier than 8.0 expose a blind SSRF vulnerability in the public thumbnail generators getImage.php and getImageMP4.php. The endpoints accept a base64‑encoded URL, decode it, and pass the resulting address directly to ffmpeg without proper validation or authentication. The only previous check ensured the URL was syntactically valid and started with http(s)://, which is insufficient. An attacker can supply URLs pointing to internal networks or cloud instance metadata, such as http://169.254.169.254/latest/meta-data/, http://192.168.x.x/, or http://127.0.0.1/. Although the server’s response is not returned to the attacker (blind), timing differences and error logs can be leveraged to infer success, thus enabling covert reconnaissance or further exploitation. The vulnerability, categorized as CWE‑918, poses a significant risk of unauthorized internal access.

Affected Systems

The affected product is AVideo‑Encoder from WWBN. All releases prior to version 8.0 are vulnerable. No specific sub‑versions are listed beyond the general version boundary. Users running any older version of the encoder should consider this finding applicable.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity, and the EPSS score of less than 1% suggests low current exploit prevalence. The flaw is not listed in CISA’s KEV catalog, but its unrestricted SSRE nature and high score warrant urgent attention. Exploitation requires only a crafted HTTP request to the public thumbnail endpoint; no authentication or advanced techniques are required. If successful, attackers can enumerate internal network resources or access protected metadata services, potentially paving the way for broader compromise.

Generated by OpenCVE AI on March 24, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo‑Encoder to version 8.0 or later where the SSRF issue is fixed
  • If an immediate upgrade is not possible, limit access to getImage.php and getImageMP4.php to authenticated or trusted IP ranges using the web server’s access control settings
  • Implement firewall rules that block outbound connections from the encoder’s host to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to prevent internal network targeting
  • Enable detailed logging for ffmpeg execution so that odd URLs or source addresses can be detected and blocked manually
  • Monitor application logs for unusual request patterns to the thumbnail endpoints as an early warning of potential exploitation

Generated by OpenCVE AI on March 24, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo-encoder
Vendors & Products Wwbn
Wwbn avideo-encoder

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
Title AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo-encoder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:08.761Z

Reserved: 2026-03-17T17:22:14.668Z

Link: CVE-2026-33024

cve-icon Vulnrichment

Updated: 2026-03-20T16:29:12.126Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.717

Modified: 2026-03-24T16:41:02.800

Link: CVE-2026-33024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:14Z

Weaknesses