CVE-2026-33766

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo, an open source video platform, is susceptible to a Server-Side Request Forgery (SSRF) bypass. The isSSRFSafeURL() function validates URLs against private IP ranges before fetching, but the url get contents() function follows HTTP redirects without re-validating the target URL. This allows an attacker to bypass SSRF protection by redirecting from a public URL to an internal target. The vulnerable code resides in objects/functions.php. Specifically, the isSSRFSafeURL() function is located at line 4066 and the url get contents() function is located at line 1990. The affected endpoint is objects/aVideoEncoderReceiveImage.json.php at lines 67-68, 107-108, 135-136, and 160-161. The downloadURL image parameter is used in the vulnerable code. An attacker can exploit this by setting up a redirector that responds with a 302 redirect to an internal target, such as a cloud metadata service. This allows access to sensitive information and internal network services. The curl path within url get contents() is not affected as it does not set CURLOPT FOLLOWLOCATION.

Recommendations AVideo versions up to and including 26.0: Set follow location to 0 in the stream context and handle redirects manually with re-validation, or add an isSSRFSafeURL() check inside url get contents() after resolving the final URL.