Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
AVideo Scheduler Plugin Allows Internal Network Access
GHSA-v467-g7g7-hhfh
CVE-2026-33237
Summary
A security issue in the Scheduler plugin in AVideo allows administrators to access internal network services, potentially exposing sensitive data. This can happen when a scheduled task is configured with a callback URL pointing to an internal network address. To protect your system, ensure that your callback URLs only reference publicly accessible addresses.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 14.0 | – |
Original title
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurabl...
Original description
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
ghsa CVSS3.1
5.5
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 19 Mar 2026