{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33024", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.668Z", "datePublished": "2026-03-20T04:58:47.845Z", "dateUpdated": "2026-03-20T18:08:08.761Z"}, "containers": {"cna": {"title": "AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"}, {"name": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"version": "< 8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:58:47.845Z"}, "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}], "source": {"advisory": "GHSA-h9gh-866r-6vgq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:29:04.627265Z", "id": "CVE-2026-33024", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:08:08.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33024", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T16:29:04.627265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:29:12.126Z"}}], "cna": {"title": "AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator", "source": {"advisory": "GHSA-h9gh-866r-6vgq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"status": "affected", "version": "< 8.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq", "name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06", "name": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:58:47.845Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33024", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:08:08.761Z", "dateReserved": "2026-03-17T17:22:14.668Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T04:58:47.845Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "matchCriteriaId": "7838B812-EB07-43E4-B3F6-0887FB6CA33E", "versionEndExcluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}, {"lang": "es", "value": "AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (CWE-918) en los puntos finales p\u00fablicos de miniaturas getImage.php y getImageMP4.php. Ambos puntos finales aceptan un par\u00e1metro GET base64Url, lo decodifican en base64 y pasan la URL resultante a ffmpeg como fuente de entrada sin ning\u00fan requisito de autenticaci\u00f3n. La validaci\u00f3n previa solo verificaba que la URL fuera sint\u00e1cticamente v\u00e1lida (FILTER_VALIDATE_URL) y comenzara con http(s)://. Esto es insuficiente: un atacante puede proporcionar URLs como http://169.254.169.254/latest/meta-data/ (metadatos de instancia de AWS/nube), http://192.168.x.x/, o http://127.0.0.1/ para hacer que el servidor acceda a recursos de red internos. La respuesta no se devuelve directamente (ciega), pero las diferencias de tiempo y los registros de errores pueden usarse para inferir resultados. El problema ha sido solucionado en la versi\u00f3n 8.0."}], "id": "CVE-2026-33024", "lastModified": "2026-03-24T16:41:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.717", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo-Encoder", "source": "cna", "vendor": "WWBN"}, "product": "avideo-encoder", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T17:30:13.480635+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo\u2011Encoder to version 8.0 or later where the SSRF issue is fixed", "If an immediate upgrade is not possible, limit access to getImage.php and getImageMP4.php to authenticated or trusted IP ranges using the web server\u2019s access control settings", "Implement firewall rules that block outbound connections from the encoder\u2019s host to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to prevent internal network targeting", "Enable detailed logging for ffmpeg execution so that odd URLs or source addresses can be detected and blocked manually", "Monitor application logs for unusual request patterns to the thumbnail endpoints as an early warning of potential exploitation"], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery (SSRF) that permits an unauthenticated attacker to trigger ffmpeg to fetch resources from internal or cloud instance metadata endpoints, enabling potential data exposure or internal enumeration"}, "threat_synthesis": {"affected_systems": "The affected product is AVideo\u2011Encoder from WWBN. All releases prior to version 8.0 are vulnerable. No specific sub\u2011versions are listed beyond the general version boundary. Users running any older version of the encoder should consider this finding applicable.", "description_and_impact": "AVideo-Encoder versions earlier than 8.0 expose a blind SSRF vulnerability in the public thumbnail generators getImage.php and getImageMP4.php. The endpoints accept a base64\u2011encoded URL, decode it, and pass the resulting address directly to ffmpeg without proper validation or authentication. The only previous check ensured the URL was syntactically valid and started with http(s)://, which is insufficient. An attacker can supply URLs pointing to internal networks or cloud instance metadata, such as http://169.254.169.254/latest/meta-data/, http://192.168.x.x/, or http://127.0.0.1/. Although the server\u2019s response is not returned to the attacker (blind), timing differences and error logs can be leveraged to infer success, thus enabling covert reconnaissance or further exploitation. The vulnerability, categorized as CWE\u2011918, poses a significant risk of unauthorized internal access.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a very high severity, and the EPSS score of less than 1% suggests low current exploit prevalence. The flaw is not listed in CISA\u2019s KEV catalog, but its unrestricted SSRE nature and high score warrant urgent attention. Exploitation requires only a crafted HTTP request to the public thumbnail endpoint; no authentication or advanced techniques are required. If successful, attackers can enumerate internal network resources or access protected metadata services, potentially paving the way for broader compromise."}}}}, "created": "2026-03-20T08:52:33.803700+00:00", "updated": "2026-03-25T14:09:14.033855+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo-encoder"]}