Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.
Published: 2026-03-22
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via SSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the BulkEmbed plugin’s save endpoint, which retrieves thumbnail images from user‑supplied URLs through a raw HTTP request function. This path lacks SSRF checks that are present in other similar endpoints. An attacker that is logged into the system can supply an internal or private network address; the server will fetch the content at that address and return it as part of the thumbnail view, providing the attacker with access to otherwise restricted internal resources. The weakness is a classic Server‑Side Request Forgery, classified as CWE‑918, and does not provide remote code execution but exposes sensitive internal data.

Affected Systems

Affecting the WWBN AVideo open‑source video platform, specifically all releases prior to version 26.0. The vulnerable code exists in the BulkEmbed plugin accessed via plugin/BulkEmbed/save.json.php. Applications running these versions that have the BulkEmbed feature enabled and logged‑in user accounts are susceptible. Version 26.0 contains a fix that hardens the URL fetch call.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of automated exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate authentication, but user‑level accounts are sufficient to trigger the fetch. Once triggered, the attacker can read any internal resource reachable from the server, potentially exposing internal services, configuration data, or sensitive content. The attack vector is an authenticated web application request, so defenders should prioritize fixing the missing SSRF protection.

Generated by OpenCVE AI on March 24, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to version 26.0 or later where the BulkEmbed thumbnail fetch is hardened.
  • If an upgrade is not immediately possible, disable or remove the BulkEmbed plugin until the patch is applied.
  • Restrict the server’s outbound network access from the web application to the necessary public endpoints, blocking internal network ranges.

Generated by OpenCVE AI on March 24, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-66cw-h2mj-j39p AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sun, 22 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.
Title AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:50:25.707Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33294

cve-icon Vulnrichment

Updated: 2026-03-25T13:50:22.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T17:17:09.100

Modified: 2026-03-24T21:14:36.193

Link: CVE-2026-33294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:27Z

Weaknesses