WWBN AVideo is an open-source video platform that includes multiple URL-fetching endpoints. In versions prior to 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs using the `url_get_contents()` function without applying the SSRF protection mechanism `isSSRFSafeURL()`. This omission allows an authenticated attacker to supply arbitrary URLs, including those pointing to internal network resources that are normally inaccessible externally. When the server fetches these URLs, it effectively acts as a proxy, enabling the attacker to read internal HTTP responses by viewing the saved video thumbnail. This SSRF vulnerability is categorized under CWE-918. Other URL-fetching endpoints in AVideo have been hardened against SSRF by validating URLs with `isSSRFSafeURL()`, but this particular endpoint was missed in the hardening process. The vulnerability was publicly disclosed on March 22, 2026, and fixed in version 26.0 of AVideo. The CVSS 3.1 base score is 5.0, indicating a medium severity issue with network attack vector, low attack complexity, requiring privileges (authenticated attacker), no user interaction, and impacting confidentiality with a scope change possible. No known exploits have been reported in the wild as of the publication date.

The primary impact of this SSRF vulnerability is the potential exposure of internal network resources that are normally shielded from external access. An attacker with valid credentials can leverage the vulnerable endpoint to make the server perform HTTP requests to internal services, potentially accessing sensitive information such as internal APIs, metadata services, or other protected resources. This can lead to information disclosure, reconnaissance for further attacks, or pivoting within the network. Although the vulnerability does not directly allow code execution or denial of service, the confidentiality breach can be significant depending on the internal resources accessible. Organizations using affected versions of WWBN AVideo risk unauthorized internal data exposure, which could compromise network security posture and privacy compliance. The requirement for authentication limits the attack surface to users with some level of access, but insider threats or compromised accounts could exploit this flaw. Since AVideo is an open-source platform used globally, organizations deploying it in sensitive environments or with internal network segmentation could be particularly impacted.

To mitigate this vulnerability, organizations should upgrade WWBN AVideo to version 26.0 or later, where the BulkEmbed plugin's save endpoint includes proper SSRF protections. If immediate upgrade is not feasible, administrators should restrict access to the BulkEmbed plugin's save endpoint to trusted users only and monitor logs for suspicious URL fetch requests. Network-level controls such as firewall rules or web application firewalls (WAFs) can be configured to block outbound HTTP requests from the AVideo server to internal IP ranges or sensitive endpoints. Additionally, implementing strict input validation and URL whitelisting on user-supplied URLs can reduce SSRF risks. Regularly auditing plugin configurations and applying security patches promptly will help prevent similar issues. Finally, monitoring for anomalous internal network traffic originating from the AVideo server can aid in early detection of exploitation attempts.