The vulnerability CVE-2026-33024 affects WWBN's AVideo-Encoder software versions before 8.0. It is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, located in the public thumbnail generation endpoints getImage.php and getImageMP4.php. These endpoints accept a base64Url GET parameter, which is base64-decoded to obtain a URL that is then passed directly to the ffmpeg multimedia framework as an input source. The only validation performed on the URL is a syntactic check using FILTER_VALIDATE_URL and ensuring the URL begins with http(s)://. This validation is insufficient, allowing attackers to supply URLs pointing to internal network addresses such as 169.254.169.254 (commonly used for AWS and other cloud instance metadata), private IP ranges (e.g., 192.168.x.x), or localhost (127.0.0.1). Because ffmpeg fetches the resource from the supplied URL, the server can be tricked into making HTTP requests to internal services that are otherwise inaccessible externally. Although the server does not return the response content directly (blind SSRF), attackers can leverage timing differences and error logs to infer the existence and behavior of internal resources. This can lead to sensitive information disclosure, such as cloud instance metadata, which may contain credentials or tokens, and potentially enable further attacks like privilege escalation or lateral movement within the network. The vulnerability requires no authentication or user interaction, making it highly exploitable. The vendor fixed this issue in version 8.0 by presumably improving input validation or restricting URL schemes and destinations. The CVSS 4.0 score of 9.3 reflects the critical nature of this vulnerability due to its high impact on confidentiality and integrity, ease of exploitation, and broad scope of affected systems running vulnerable versions of AVideo-Encoder.

The SSRF vulnerability in AVideo-Encoder can have severe consequences for organizations using affected versions. Attackers can exploit this flaw to access internal network resources that are normally protected by firewalls or network segmentation, such as cloud metadata services, internal APIs, or management interfaces. Access to cloud instance metadata (e.g., AWS EC2 metadata service) can expose sensitive credentials, tokens, or configuration data, enabling attackers to escalate privileges or move laterally within the cloud environment. Internal network reconnaissance can facilitate further exploitation of vulnerable services or data exfiltration. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by unauthenticated attackers, increasing the risk of widespread compromise. The blind nature of the SSRF limits direct data leakage but does not prevent attackers from inferring valuable information through timing attacks and error messages. Organizations relying on AVideo-Encoder for video sharing and processing may face data breaches, service disruption, or unauthorized access to internal systems. The critical CVSS score underscores the urgency of remediation to prevent potential large-scale impacts.

To mitigate this SSRF vulnerability, organizations should immediately upgrade AVideo-Encoder to version 8.0 or later, where the issue is fixed. If upgrading is not immediately possible, implement strict network-level controls to restrict outbound HTTP(S) requests from the AVideo-Encoder server to only trusted external endpoints, blocking access to internal IP ranges (e.g., 169.254.169.254, 127.0.0.1, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Employ web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns, especially requests containing suspicious base64Url parameters. Monitor server logs for unusual outbound requests or error patterns indicative of SSRF exploitation attempts. Implement application-level input validation enhancements to whitelist allowed domains or URLs and reject any requests targeting internal or private IP addresses. Consider isolating the AVideo-Encoder service in a segmented network zone with minimal access to internal resources. Regularly audit and rotate cloud instance credentials and metadata service tokens to limit exposure in case of SSRF exploitation. Finally, educate development teams about secure coding practices to avoid passing untrusted input directly to system utilities like ffmpeg.