WWBN AVideo is an open-source video platform that includes a BulkEmbed plugin allowing users to embed multiple videos with thumbnails. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) uses a function called `url_get_contents()` to fetch thumbnail images from user-supplied URLs. Unlike six other URL-fetching endpoints in AVideo, this endpoint lacks the `isSSRFSafeURL()` validation, which is designed to prevent Server-Side Request Forgery (SSRF) attacks. SSRF vulnerabilities allow attackers to coerce the server into making HTTP requests to arbitrary internal or external resources. In this case, an authenticated attacker can supply a crafted thumbnail URL that points to internal network resources, causing the server to fetch and expose the contents of those resources when the saved video thumbnail is viewed. This can lead to unauthorized internal network scanning, data leakage, and potentially facilitate further attacks against internal systems. The vulnerability is tracked as CVE-2026-33294 and is classified under CWE-918 (SSRF). It has a CVSS 3.1 base score of 5.0, indicating medium severity, with attack vector network, low attack complexity, requiring privileges (authentication), no user interaction, and partial confidentiality impact. No known exploits are currently reported in the wild. The issue is fixed in AVideo version 26.0 by adding the missing SSRF protection to the BulkEmbed plugin's save endpoint.

The primary impact of this SSRF vulnerability is unauthorized internal network reconnaissance and potential data exposure. An attacker with valid credentials can exploit the flaw to make the server issue HTTP requests to internal services that are otherwise inaccessible externally. This can reveal sensitive information such as internal web applications, metadata services, or other network resources. While the vulnerability does not directly allow data modification or denial of service, the information gathered can facilitate further attacks, including privilege escalation or lateral movement within an organization’s network. Organizations running vulnerable versions of AVideo expose their internal infrastructure to risk, especially if the platform is accessible from the internet and user authentication is weak or compromised. The medium severity score reflects the moderate impact and the requirement for authentication, but the potential for internal network exposure makes this a significant concern for organizations relying on AVideo for video content management.

To mitigate this vulnerability, organizations should upgrade WWBN AVideo to version 26.0 or later, where the SSRF protection is implemented in the BulkEmbed plugin. Until an upgrade is possible, administrators should restrict access to the BulkEmbed plugin’s save endpoint to trusted users only and monitor logs for unusual URL fetch requests. Network-level controls such as firewall rules can be applied to limit the server’s ability to make outbound HTTP requests to internal IP ranges, reducing the risk of SSRF exploitation. Additionally, implementing strict input validation and URL whitelisting for thumbnail URLs can help prevent malicious URLs from being processed. Regularly auditing user privileges and enforcing strong authentication mechanisms will reduce the likelihood of an attacker gaining the necessary access to exploit this vulnerability. Finally, monitoring for unusual internal network traffic originating from the AVideo server can help detect exploitation attempts.