CVE-2026-33024

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06	Patch
https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*

History

24 Mar 2026, 16:41

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wwbn:avideo-encoder::::::::
References	~~() https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06 -~~	() https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06 - Patch
References	~~() https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq -~~	() https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq - Mitigation, Vendor Advisory
First Time		Wwbn Wwbn avideo-encoder
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
Summary		(es) AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de falsificación de petición del lado del servidor (CWE-918) en los puntos finales públicos de miniaturas getImage.php y getImageMP4.php. Ambos puntos finales aceptan un parámetro GET base64Url, lo decodifican en base64 y pasan la URL resultante a ffmpeg como fuente de entrada sin ningún requisito de autenticación. La validación previa solo verificaba que la URL fuera sintácticamente válida (FILTER_VALIDATE_URL) y comenzara con http(s)://. Esto es insuficiente: un atacante puede proporcionar URLs como http://169.254.169.254/latest/meta-data/ (metadatos de instancia de AWS/nube), http://192.168.x.x/, o http://127.0.0.1/ para hacer que el servidor acceda a recursos de red internos. La respuesta no se devuelve directamente (ciega), pero las diferencias de tiempo y los registros de errores pueden usarse para inferir resultados. El problema ha sido solucionado en la versión 8.0.

20 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 05:16

Updated : 2026-03-24 16:41

NVD link : CVE-2026-33024

Mitre link : CVE-2026-33024

CVE.ORG link : CVE-2026-33024

JSON object : View

Products Affected

wwbn

avideo-encoder

CWE

CWE-918

Server-Side Request Forgery (SSRF)

9.1 /10