CVE-2026-33237

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo is an open source video platform. A Server-Side Request Forgery (SSRF) issue exists in the Scheduler plugin due to missing isSSRFSafeURL() validation for the callbackURL parameter. The run() function in plugin/Scheduler/Scheduler.php calls url get contents() with an admin-configurable callbackURL that is only validated by isValidURL(), which only checks the URL format. This allows an administrator to configure a scheduled task with an internal network callbackURL to perform SSRF against cloud infrastructure metadata services or internal APIs. The isValidURL() function does not block internal or private network targets, unlike other AVideo endpoints that have been previously patched for SSRF. Exploitation involves setting a callbackURL to an internal network address, such as http://169.254.169.254/latest/meta-data/iam/security-credentials/, and triggering the scheduled task. Successful exploitation can lead to cloud credential theft, internal service probing, and amplification of incomplete patch issues. The vulnerable code is located at plugin/Scheduler/Scheduler.php:157-166. The vulnerable parameter is callbackURL.

Recommendations Versions prior to 26.0: Add isSSRFSafeURL() validation to the Scheduler callback URL before url get contents() is called, consistent with the existing SSRF fixes in plugin/LiveLinks/proxy.php and objects/aVideoEncoder.json.php.