{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33024", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.668Z", "datePublished": "2026-03-20T04:58:47.845Z", "dateUpdated": "2026-03-20T04:58:47.845Z"}, "containers": {"cna": {"title": "AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"}, {"name": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"version": "< 8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:58:47.845Z"}, "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}], "source": {"advisory": "GHSA-h9gh-866r-6vgq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0."}], "id": "CVE-2026-33024", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.717", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo-Encoder", "source": "cna", "vendor": "WWBN"}, "product": "avideo-encoder", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T06:22:58.380187+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch by upgrading to AVideo\u2011Encoder version 8.0 or later", "If immediate upgrade is not possible, restrict access to the public thumbnail endpoints using network segmentation or firewall rules so that outgoing requests can only reach approved external services"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of AVideo\u2011Encoder prior to 8.0 released by WWBN:AVideo\u2011Encoder. Versions 8.0 and later contain a fix that removes or secures the public thumbnail generation endpoints.", "description_and_impact": "AVideo-Encoder\u2019s public thumbnail endpoints, getImage.php and getImageMP4.php, accept a base64\u2011encoded URL via a GET parameter, decode it, and pass the resulting URL directly to ffmpeg without authentication. The only validation performed checks that the string is a syntactically valid HTTP/HTTPS URL, which is insufficient. An attacker can therefore supply URLs such as http://169.254.169.254/latest/meta-data/, http://192.168.x.x/, or http://127.0.0.1/, causing the server to reach internal network resources or cloud instance metadata. The attack is blind; while no response is returned directly to the attacker, timing differences and error logs can be leveraged to infer whether the request succeeded, enabling internal enumeration and potentially facilitating more serious attacks.", "risk_and_exploitability": "With a CVSS score of 9.3 the risk is considered critical. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would simply need to send a crafted GET request to getImage.php or getImageMP4.php, which are publicly reachable without authentication. Because the flaw is a blind SSRF, detection requires monitoring of timing or logs, but once discovered it can expose internal services or metadata, creating a foothold for further exploitation."}}}}, "created": "2026-03-20T08:52:33.803700+00:00", "updated": "2026-03-20T10:37:15.489774+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo-encoder"]}