CVE-2026-33024 is a critical SSRF vulnerability identified in WWBN's AVideo-Encoder software versions prior to 8.0. The vulnerability resides in two public endpoints, getImage.php and getImageMP4.php, which accept a base64Url GET parameter. This parameter is base64-decoded and the resulting URL is passed directly to ffmpeg as an input source without any authentication or robust validation. The only validation performed was a syntactic check ensuring the URL started with http(s)://, which is insufficient to prevent SSRF attacks. An attacker can supply URLs targeting internal IP ranges (e.g., 127.0.0.1, 192.168.x.x) or cloud provider metadata services (e.g., AWS 169.254.169.254) to force the server to make HTTP requests to these internal resources. Although the server does not return the response directly (blind SSRF), attackers can leverage timing differences and error logs to infer the existence and content of internal resources. This can lead to information disclosure about the internal network, cloud metadata, or other sensitive services. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The CVSS 4.0 score of 9.3 reflects the critical nature of this flaw, with network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. The vulnerability was publicly disclosed on March 20, 2026, and fixed in AVideo-Encoder version 8.0. No known exploits are currently reported in the wild, but the risk remains significant due to the ease of exploitation and potential impact.

The SSRF vulnerability in AVideo-Encoder can have severe consequences for organizations using affected versions. Attackers can leverage this flaw to perform internal network reconnaissance, accessing sensitive internal services that are otherwise inaccessible externally. This includes cloud instance metadata services, which often contain credentials and configuration data that can be used to escalate privileges or pivot within the network. Access to internal IP ranges can expose databases, admin interfaces, or other critical infrastructure components. Although the SSRF is blind, attackers can still extract valuable information through timing attacks and error messages, potentially leading to further exploitation such as remote code execution or data exfiltration. The lack of authentication and user interaction requirements increases the risk of automated mass scanning and exploitation attempts. Organizations relying on AVideo-Encoder for video processing and sharing may face data breaches, service disruptions, and compromise of their internal network security. Given the critical CVSS score, the vulnerability poses a high risk to confidentiality and integrity, with potential indirect impacts on availability if attackers leverage discovered internal services for further attacks.

To mitigate this vulnerability, organizations should immediately upgrade AVideo-Encoder to version 8.0 or later, where the issue has been fixed. If upgrading is not immediately possible, implement strict input validation on the base64Url parameter to ensure URLs do not point to internal IP ranges, localhost, or cloud metadata IP addresses. Employ allowlisting of trusted external domains and reject all others. Restrict the server's network egress access to prevent connections to sensitive internal or cloud metadata IP addresses from the application server. Monitor application logs for unusual requests to the vulnerable endpoints and signs of SSRF exploitation attempts. Additionally, consider isolating the video encoding service in a network segment with limited access to internal resources. Implement web application firewalls (WAFs) with rules to detect and block SSRF patterns targeting internal IPs. Finally, conduct regular security assessments and penetration testing to detect similar SSRF or input validation issues.