CVE-2026-33294

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description The BulkEmbed plugin in AVideo contains a server-side request forgery (SSRF) issue. The save.json.php endpoint within the plugin fetches user-supplied thumbnail URLs using the url get contents() function without proper SSRF protection. This allows an authenticated attacker to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. All other URL-fetching endpoints in AVideo are protected by the isSSRFSafeURL() function, but this code path was missed. The issue allows for a full-read SSRF, where the HTTP response body is written to disk as the video thumbnail and served to the attacker. The API endpoint involved is plugin/BulkEmbed/save.json.php, and the vulnerable parameter is thumbs. Exploitation involves sending a malicious thumbnail URL via the itemsToSave POST parameter. Potential targets include cloud metadata endpoints (AWS, GCP, Azure) and internal network services. Successful exploitation could lead to cloud credential theft, internal network reconnaissance, and data exfiltration.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later. Add isSSRFSafeURL() validation before the url get contents() call in plugin/BulkEmbed/save.json.php, consistent with all other URL-fetching endpoints.