CVE-2026-33024

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 8.0

Description AVideo is a video-sharing platform. Versions prior to 8.0 contain a Server-Side Request Forgery issue (CWE-918) in the public thumbnail endpoints ''getImage.php'' and ''getImageMP4.php''. These endpoints accept a base64Url GET parameter, decode it, and pass the resulting URL to ffmpeg as an input source without authentication. The initial validation only confirmed the URL was syntactically valid and began with http(s)://, which is insufficient. An attacker can provide URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server access internal network resources. The response is not directly returned, but timing differences and error logs can be used to infer results.

Recommendations Versions prior to 8.0 should be updated to version 8.0.