WWBN AVideo, SSRF, CVE-2026-33237 (Critical)

Listen to this Post

The vulnerability resides in the Scheduler plugin of WWBN AVideo versions prior to 26.0. The `run()` function inside `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with a `callbackURL` that is configured by an administrator. This URL is validated only via isValidURL(), which merely checks for a correct URL format (scheme, host, etc.) but does not block requests to internal network ranges. In contrast, other recently patched SSRF issues (GHSA-9×67-f2v7-63rw, GHSA-h39h-7cvg-q7j6) introduced the `isSSRFSafeURL()` function that explicitly rejects RFC‑1918 private addresses, loopback (127.0.0.0/8), and cloud metadata endpoints (e.g., 169.254.169.254). Because the Scheduler plugin bypasses this safety check, an authenticated admin can configure a scheduled task with a malicious `callbackURL` pointing to an internal service, a cloud metadata API, or a private API. When the scheduled task executes, the server makes an HTTP request to the supplied URL, effectively performing a Server‑Side Request Forgery (SSRF) attack. This can expose internal infrastructure that is not otherwise reachable from the internet. The flaw was patched in version 26.0 by adding the same `isSSRFSafeURL()` validation to the callback URL.
Platform: WWBN AVideo
Version: Before 26.0
Vulnerability: SSRF via callback
Severity: Critical
date: March 20, 2026

Prediction: Already patched 26.0

What Undercode Say: Analytics

Check if vulnerable version is installed
grep -E '"version": "([0-9]+.[0-9]+)"' /path/to/AVideo/configuration.php
Simulate an SSRF attempt (requires admin session)
curl -X POST -H "Cookie: PHPSESSID=admin_session" \
-d "callbackURL=http://169.254.169.254/latest/meta-data/" \
http://target.com/plugin/Scheduler/run
Diff showing missing SSRF filter
diff -u Scheduler.php.old Scheduler.php.new | grep -A5 -B5 "isSSRFSafeURL"

how Exploit:

An attacker with admin credentials creates a scheduled task in the Scheduler plugin, setting the `callbackURL` to an internal IP address (e.g., http://192.168.1.1/admin`), a loopback address (http://127.0.0.1:8080/`), or a cloud metadata endpoint (`http://169.254.169.254/latest/meta-data/`). When the task runs, the server sends a request to that internal target, leaking sensitive data or interacting with internal services.

Protection from this CVE

Upgrade to WWBN AVideo version 26.0 or later. If immediate upgrade is not possible, apply the patch that backports `isSSRFSafeURL()` validation to the Scheduler plugin. Restrict admin privileges to trusted users only, and consider network‑level egress filtering to block outbound requests to internal IP ranges.

Impact

Successful exploitation enables an attacker to scan internal networks, access cloud instance metadata (potentially exposing IAM credentials), interact with internal APIs, and pivot to other internal systems. This can lead to privilege escalation, data exfiltration, or further compromise of the underlying infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top