CVE-2026-33294
SSRF Vulnerability in WWBN AVideo BulkEmbed Plugin
Publication date: 2026-03-22
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33294 is a Server-Side Request Forgery (SSRF) vulnerability in the BulkEmbed plugin of the WWBN AVideo platform. The vulnerability occurs because the plugin's save endpoint fetches user-supplied thumbnail URLs without proper SSRF protection. Specifically, it uses the function url_get_contents() to retrieve thumbnail images from URLs provided by authenticated users, but unlike other similar endpoints, it does not validate these URLs with the isSSRFSafeURL() function."}, {'type': 'paragraph', 'content': 'This lack of validation allows an authenticated attacker to make the server perform HTTP requests to internal network resources or cloud metadata services by supplying malicious thumbnail URLs. The server then saves the response content as the video thumbnail, which the attacker can view, effectively reading internal or sensitive data through the server.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker with BulkEmbed permissions to perform unauthorized HTTP requests from your server to internal network resources or cloud metadata endpoints.
- The attacker can retrieve sensitive information such as cloud credentials from metadata services (e.g., AWS IAM role credentials), which could lead to unauthorized access to cloud infrastructure like S3 buckets and databases.
- It enables internal network reconnaissance by probing private IP ranges and services that are normally inaccessible from outside.
- Sensitive data from internal HTTP-accessible services can be exfiltrated by viewing the saved video thumbnails containing the fetched internal responses.
Overall, this vulnerability compromises confidentiality and security boundaries by allowing attackers to leverage the server as a proxy to access internal or cloud infrastructure resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual HTTP requests made by the server to internal or cloud metadata service URLs originating from the BulkEmbed plugin's thumbnail fetching functionality."}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the server fetching user-supplied thumbnail URLs without SSRF protection, detection can focus on identifying requests to internal IP ranges or cloud metadata endpoints such as 169.254.169.254.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the server to internal IPs or metadata service IPs, e.g.: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 net 10.0.0.0/8'}, {'type': 'list_item', 'content': 'Checking web server or application logs for requests to the BulkEmbed save endpoint (`plugin/BulkEmbed/save.json.php`) with suspicious thumbnail URLs pointing to internal or cloud metadata IPs.'}, {'type': 'list_item', 'content': "Using grep or similar tools to search logs for keywords like 'BulkEmbed' or internal IP addresses, e.g.: grep 'BulkEmbed' /var/log/apache2/access.log | grep '169.254.169.254'"}, {'type': 'list_item', 'content': 'Reviewing saved video thumbnail files or database entries for unexpected content that may contain internal network data fetched via SSRF.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade the WWBN AVideo platform to version 26.0 or later, where the BulkEmbed plugin's save endpoint includes SSRF protection by validating thumbnail URLs with the `isSSRFSafeURL()` function before fetching."}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the BulkEmbed plugin to trusted users only, as exploitation requires authenticated users with BulkEmbed permissions.'}, {'type': 'paragraph', 'content': 'Additionally, consider implementing network-level controls to block outgoing HTTP requests from the server to internal IP ranges and cloud metadata service IPs.'}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious activity related to the BulkEmbed save endpoint and thumbnail URL fetching to detect potential exploitation attempts.'}] [1, 2]