{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33237", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.508Z", "datePublished": "2026-03-20T23:30:04.209Z", "dateUpdated": "2026-04-13T17:40:38.441Z"}, "containers": {"cna": {"title": "AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh"}, {"name": "https://github.com/WWBN/AVideo/issues/10403", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/issues/10403"}, {"name": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:40:38.441Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-v467-g7g7-hhfh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:59:27.040841Z", "id": "CVE-2026-33237", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:00:17.609Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33237", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T17:59:27.040841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:59:54.452Z"}}], "cna": {"title": "AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation", "source": {"advisory": "GHSA-v467-g7g7-hhfh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/issues/10403", "name": "https://github.com/WWBN/AVideo/issues/10403", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "name": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:40:38.441Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33237", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:40:38.441Z", "dateReserved": "2026-03-18T02:42:27.508Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T23:30:04.209Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, la funci\u00f3n 'run()' del plugin Scheduler en 'plugin/Scheduler/Scheduler.php' llama a 'url_get_contents()' con una 'callbackURL' configurable por el administrador que es validada \u00fanicamente por 'isValidURL()' (verificaci\u00f3n de formato de URL). A diferencia de otros endpoints de AVideo que fueron recientemente parcheados para SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), la URL de callback del Scheduler nunca pasa por 'isSSRFSafeURL()', que bloquea las solicitudes a direcciones privadas RFC-1918, loopback y endpoints de metadatos en la nube. Un administrador puede configurar una tarea programada con una 'callbackURL' de red interna para realizar SSRF contra servicios de metadatos de infraestructura en la nube o APIs internas no accesibles de otra manera desde internet. La versi\u00f3n 26.0 contiene un parche para el problema."}], "id": "CVE-2026-33237", "lastModified": "2026-04-13T18:16:29.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:26.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/issues/10403"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T20:26:03.074628+00:00", "value": {"mitigation_remediation": ["Upgrade to AVideo version 26.0 or later, which adds SSRF safe URL checks.", "If an upgrade is not possible, disable the Scheduler plugin or remove any scheduled tasks that use callbackURL.", "Verify that the Scheduler plugin is not configured to use internal or cloud metadata URLs.", "Monitor admin configurations for unauthorized changes to callbackURL values."], "summary": {"action": "Immediate Patch", "impact": "Remote Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo open\u2011source video platform. Versions prior to 26.0 are vulnerable. Version\u00a026.0 includes a patch that ensures the callbackURL is evaluated by isSSRFSafeURL(), blocking RFC\u20111918 addresses, loopback, and cloud metadata services. Users running earlier releases should upgrade or disable the Scheduler plugin.", "description_and_impact": "The Scheduler plugin\u2019s run() function performs an HTTP request to an admin\u2011configurable callbackURL using url_get_contents. Only the URL format is validated, and the function is not protected against server\u2011side request forgery. An authenticated administrator can set the callbackURL to an internal network address or a cloud metadata endpoint, enabling the platform to retrieve information or perform actions on hosts that are otherwise unreachable from the internet. This gives an attacker the ability to obtain sensitive data, exfiltrate internal information, or interact with internal services, potentially leading to privilege escalation or data compromise.", "risk_and_exploitability": "The CVSS score is 5.5, reflecting a moderate risk. EPSS is below 1\u202f%, indicating a low probability of recent exploitation. It is not listed in the CISA KEV catalog. Exploitation requires administrative control over the Scheduler plugin, meaning the attacker would need to authenticate as an administrator or gain control over scheduled tasks. With such access, the attacker could introduce arbitrary callbackURLs to perform SSRF against internal hosts or cloud metadata endpoints. The attack vector is limited to privileged users, but the impact on internal resources can be significant if unmitigated."}}}}, "created": "2026-03-23T09:51:33.084137+00:00", "updated": "2026-03-25T14:33:32.871392+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}