Cyber Posture

CVE-2026-33024

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33024 is a critical-severity SSRF (CWE-918) vulnerability in Wwbn Avideo-Encoder. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires rigorous validation of the base64Url input parameter to reject URLs targeting internal resources like metadata endpoints or localhost, directly preventing the SSRF exploitation.

AC-4 Information Flow Enforcement good match
prevent

Enforces information flow control policies that prohibit the application server from accessing internal network resources such as 169.254.169.254 or 127.0.0.1 when processing external URLs.

SC-7 Boundary Protection good match
prevent

Monitors and controls outbound communications at system boundaries to block requests from the vulnerable endpoints to internal IPs or metadata services via ffmpeg.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1522 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
attack.mitre.org →
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
Why these techniques?

SSRF in unauthenticated public thumbnail endpoints directly enables T1190 exploitation of public-facing app; facilitates T1522 (cloud metadata queries e.g. 169.254.169.254), T1046/T1018 (internal service/system discovery via arbitrary URLs), and T1552.005 (credential/token exfiltration from metadata).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg…

more

as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.

Deeper analysisAI

CVE-2026-33024 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting AVideo, an open-source video-sharing platform. Versions prior to 8.0 are vulnerable in the public thumbnail endpoints getImage.php and getImageMP4.php. These endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL directly to ffmpeg as an input source without authentication. The existing validation only ensured syntactic validity via FILTER_VALIDATE_URL and a http(s):// prefix, which is insufficient to prevent access to internal resources.

The vulnerability is exploitable by unauthenticated remote attackers (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, score 9.1). An attacker can supply a base64-encoded URL pointing to internal services, such as http://169.254.169.254/latest/meta-data/ for AWS instance metadata, http://192.168.x.x/, or http://127.0.0.1/, causing the server to fetch these resources via ffmpeg. As a blind SSRF, the response is not directly returned to the attacker, but results can be inferred through timing differences or server error logs, potentially enabling network reconnaissance, metadata exfiltration, or further internal pivoting.

The issue has been fixed in AVideo version 8.0. The GitHub security advisory (GHSA-h9gh-866r-6vgq) and fixing commit (f9df098534a0e05fd431e771ac9d70f0f36f1c06) detail the patch, which security practitioners should review for deployment guidance on affected instances.

Details

CWE(s)
CWE-918

Affected Products

wwbn
avideo-encoder
≤ 8.0

CVEs Like This One

CVE-2026-29058Same product: Wwbn Avideo-Encoder
CVE-2026-33025Same product: Wwbn Avideo-Encoder
CVE-2026-33480Same vendor: Wwbn
CVE-2026-27732Same vendor: Wwbn
CVE-2026-33039Same vendor: Wwbn
CVE-2026-33351Same vendor: Wwbn
CVE-2026-33502Same vendor: Wwbn
CVE-2026-41055Same vendor: Wwbn
CVE-2026-39370Same vendor: Wwbn
CVE-2026-41060Same vendor: Wwbn

References