Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
Published: 2026-03-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The Scheduler plugin’s run() function performs an HTTP request to an admin‑configurable callbackURL using url_get_contents. Only the URL format is validated, and the function is not protected against server‑side request forgery. An authenticated administrator can set the callbackURL to an internal network address or a cloud metadata endpoint, enabling the platform to retrieve information or perform actions on hosts that are otherwise unreachable from the internet. This gives an attacker the ability to obtain sensitive data, exfiltrate internal information, or interact with internal services, potentially leading to privilege escalation or data compromise.

Affected Systems

The vulnerability affects the WWBN AVideo open‑source video platform. Versions prior to 26.0 are vulnerable. Version 26.0 includes a patch that ensures the callbackURL is evaluated by isSSRFSafeURL(), blocking RFC‑1918 addresses, loopback, and cloud metadata services. Users running earlier releases should upgrade or disable the Scheduler plugin.

Risk and Exploitability

The CVSS score is 5.5, reflecting a moderate risk. EPSS is below 1 %, indicating a low probability of recent exploitation. It is not listed in the CISA KEV catalog. Exploitation requires administrative control over the Scheduler plugin, meaning the attacker would need to authenticate as an administrator or gain control over scheduled tasks. With such access, the attacker could introduce arbitrary callbackURLs to perform SSRF against internal hosts or cloud metadata endpoints. The attack vector is limited to privileged users, but the impact on internal resources can be significant if unmitigated.

Generated by OpenCVE AI on March 23, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo version 26.0 or later, which adds SSRF safe URL checks.
  • If an upgrade is not possible, disable the Scheduler plugin or remove any scheduled tasks that use callbackURL.
  • Verify that the Scheduler plugin is not configured to use internal or cloud metadata URLs.
  • Monitor admin configurations for unauthorized changes to callbackURL values.

Generated by OpenCVE AI on March 23, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v467-g7g7-hhfh AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
History

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
Title AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T17:40:38.441Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33237

cve-icon Vulnrichment

Updated: 2026-03-24T17:59:54.452Z

cve-icon NVD

Status : Modified

Published: 2026-03-21T00:16:26.523

Modified: 2026-04-13T18:16:29.593

Link: CVE-2026-33237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:32Z

Weaknesses