CVE-2026-33237

{"id": "CVE-2026-33237", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.2}]}, "published": "2026-03-21T00:16:26.523", "references": [{"url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/issues/10403", "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, la funci\u00f3n 'run()' del plugin Scheduler en 'plugin/Scheduler/Scheduler.php' llama a 'url_get_contents()' con una 'callbackURL' configurable por el administrador que es validada \u00fanicamente por 'isValidURL()' (verificaci\u00f3n de formato de URL). A diferencia de otros endpoints de AVideo que fueron recientemente parcheados para SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), la URL de callback del Scheduler nunca pasa por 'isSSRFSafeURL()', que bloquea las solicitudes a direcciones privadas RFC-1918, loopback y endpoints de metadatos en la nube. Un administrador puede configurar una tarea programada con una 'callbackURL' de red interna para realizar SSRF contra servicios de metadatos de infraestructura en la nube o APIs internas no accesibles de otra manera desde internet. La versi\u00f3n 26.0 contiene un parche para el problema."}], "lastModified": "2026-04-13T18:16:29.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}