WWBN AVideo is an open-source video platform that includes functionality to fetch URLs. In versions up to and including 26.0, the platform attempts to prevent SSRF attacks by validating URLs against private and reserved IP address ranges using the `isSSRFSafeURL()` function before fetching content. However, the function responsible for fetching URLs, `url_get_contents()`, follows HTTP redirects without re-validating the redirected URL's destination. This design flaw allows an attacker to supply a public URL that passes the initial validation but responds with an HTTP redirect to an internal or private IP address. Because the redirect target is not re-checked, the server fetches the internal resource, effectively bypassing SSRF protections. This can lead to unauthorized access to internal services, potentially exposing sensitive data or enabling further attacks such as internal network reconnaissance or exploitation of other internal vulnerabilities. The vulnerability is tracked as CVE-2026-33766 and classified under CWE-918 (Server-Side Request Forgery). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. The vendor has addressed this issue in a patch referenced by commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12, which presumably adds validation of redirect targets to prevent SSRF bypass.

Organizations using WWBN AVideo versions 26.0 or earlier are at risk of SSRF attacks that can bypass existing protections. This vulnerability can allow attackers to access internal network resources that are normally inaccessible from the internet, potentially exposing sensitive internal services, configuration data, or administrative interfaces. The SSRF can be leveraged to perform internal network reconnaissance, access metadata services in cloud environments, or pivot to other internal systems. While the CVSS score indicates medium severity, the actual impact depends on the internal network architecture and the sensitivity of accessible resources. Exploitation does not require authentication but does require user interaction, which may limit automated exploitation but still poses a significant risk in environments where users can be tricked into triggering the vulnerability. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Organizations with sensitive internal services or cloud metadata endpoints exposed internally are particularly at risk.

Administrators should promptly update WWBN AVideo to a version that includes the patch from commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 or later. If immediate patching is not possible, implement network-level controls to restrict outbound HTTP requests from the AVideo server to only trusted external destinations, preventing unauthorized internal network access. Additionally, monitor logs for unusual outbound requests or redirects initiated by the application. Employ web application firewalls (WAFs) with rules designed to detect and block SSRF patterns, especially those involving redirects to private IP ranges. Review and minimize the exposure of internal services and metadata endpoints to reduce the attack surface. Educate users about the risks of interacting with untrusted URLs that might trigger SSRF conditions. Finally, conduct internal penetration testing to identify any other SSRF or related vulnerabilities in the environment.