CVE-2026-33237: CWE-918: Server-Side Request Forgery (SSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
AI Analysis
Technical Summary
WWBN AVideo's Scheduler plugin prior to version 26.0 has an SSRF vulnerability due to insufficient validation of the admin-configurable callbackURL parameter in the run() function. The callbackURL is validated only by a format check (isValidURL()) but not by the stricter isSSRFSafeURL() function that blocks requests to private IP ranges, loopback addresses, and cloud metadata endpoints. This flaw enables an attacker with admin privileges to configure scheduled tasks that can perform SSRF attacks against internal network services. The vulnerability is addressed in version 26.0 by applying proper SSRF-safe URL validation.
Potential Impact
An attacker with administrative privileges can exploit this vulnerability to cause the server to make unauthorized requests to internal network resources, including cloud infrastructure metadata services or internal APIs that are otherwise inaccessible from the internet. This can lead to unauthorized information disclosure (confidentiality impact is high), though integrity and availability impacts are low. The CVSS score is 5.5 (medium severity). There are no known exploits in the wild.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, where the Scheduler plugin's callbackURL parameter is properly validated using isSSRFSafeURL() to block SSRF attempts to private, loopback, and cloud metadata addresses. Until the upgrade is applied, restrict administrative access to trusted users only, as exploitation requires admin privileges. Patch status is confirmed fixed in version 26.0.
CVE-2026-33237: CWE-918: Server-Side Request Forgery (SSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo's Scheduler plugin prior to version 26.0 has an SSRF vulnerability due to insufficient validation of the admin-configurable callbackURL parameter in the run() function. The callbackURL is validated only by a format check (isValidURL()) but not by the stricter isSSRFSafeURL() function that blocks requests to private IP ranges, loopback addresses, and cloud metadata endpoints. This flaw enables an attacker with admin privileges to configure scheduled tasks that can perform SSRF attacks against internal network services. The vulnerability is addressed in version 26.0 by applying proper SSRF-safe URL validation.
Potential Impact
An attacker with administrative privileges can exploit this vulnerability to cause the server to make unauthorized requests to internal network resources, including cloud infrastructure metadata services or internal APIs that are otherwise inaccessible from the internet. This can lead to unauthorized information disclosure (confidentiality impact is high), though integrity and availability impacts are low. The CVSS score is 5.5 (medium severity). There are no known exploits in the wild.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, where the Scheduler plugin's callbackURL parameter is properly validated using isSSRFSafeURL() to block SSRF attempts to private, loopback, and cloud metadata addresses. Until the upgrade is applied, restrict administrative access to trusted users only, as exploitation requires admin privileges. Patch status is confirmed fixed in version 26.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T02:42:27.508Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bdda56b462d409683a8bdf
Added to database: 3/20/2026, 11:37:58 PM
Last enriched: 4/14/2026, 11:28:38 AM
Last updated: 4/30/2026, 11:23:51 AM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.