CVE-2026-33294
Received Received - Intake
SSRF Vulnerability in WWBN AVideo BulkEmbed Plugin

Publication date: 2026-03-22

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33294
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33294 is a Server-Side Request Forgery (SSRF) vulnerability in the BulkEmbed plugin of the WWBN AVideo platform. The vulnerability occurs because the plugin's save endpoint fetches user-supplied thumbnail URLs without proper SSRF protection. Specifically, it uses the function url_get_contents() to retrieve thumbnail images from URLs provided by authenticated users, but unlike other similar endpoints, it does not validate these URLs with the isSSRFSafeURL() function."}, {'type': 'paragraph', 'content': 'This lack of validation allows an authenticated attacker to make the server perform HTTP requests to internal network resources or cloud metadata services by supplying malicious thumbnail URLs. The server then saves the response content as the video thumbnail, which the attacker can view, effectively reading internal or sensitive data through the server.'}] [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker with BulkEmbed permissions to perform unauthorized HTTP requests from your server to internal network resources or cloud metadata endpoints.

  • The attacker can retrieve sensitive information such as cloud credentials from metadata services (e.g., AWS IAM role credentials), which could lead to unauthorized access to cloud infrastructure like S3 buckets and databases.
  • It enables internal network reconnaissance by probing private IP ranges and services that are normally inaccessible from outside.
  • Sensitive data from internal HTTP-accessible services can be exfiltrated by viewing the saved video thumbnails containing the fetched internal responses.

Overall, this vulnerability compromises confidentiality and security boundaries by allowing attackers to leverage the server as a proxy to access internal or cloud infrastructure resources.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual HTTP requests made by the server to internal or cloud metadata service URLs originating from the BulkEmbed plugin's thumbnail fetching functionality."}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the server fetching user-supplied thumbnail URLs without SSRF protection, detection can focus on identifying requests to internal IP ranges or cloud metadata endpoints such as 169.254.169.254.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the server to internal IPs or metadata service IPs, e.g.: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 net 10.0.0.0/8'}, {'type': 'list_item', 'content': 'Checking web server or application logs for requests to the BulkEmbed save endpoint (`plugin/BulkEmbed/save.json.php`) with suspicious thumbnail URLs pointing to internal or cloud metadata IPs.'}, {'type': 'list_item', 'content': "Using grep or similar tools to search logs for keywords like 'BulkEmbed' or internal IP addresses, e.g.: grep 'BulkEmbed' /var/log/apache2/access.log | grep '169.254.169.254'"}, {'type': 'list_item', 'content': 'Reviewing saved video thumbnail files or database entries for unexpected content that may contain internal network data fetched via SSRF.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade the WWBN AVideo platform to version 26.0 or later, where the BulkEmbed plugin's save endpoint includes SSRF protection by validating thumbnail URLs with the `isSSRFSafeURL()` function before fetching."}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the BulkEmbed plugin to trusted users only, as exploitation requires authenticated users with BulkEmbed permissions.'}, {'type': 'paragraph', 'content': 'Additionally, consider implementing network-level controls to block outgoing HTTP requests from the server to internal IP ranges and cloud metadata service IPs.'}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious activity related to the BulkEmbed save endpoint and thumbnail URL fetching to detect potential exploitation attempts.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart