CVE-2026-33039
Published: 20 March 2026
Summary
CVE-2026-33039 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires comprehensive validation of user-supplied URLs, including redirect targets, to block SSRF exploitation in the proxy endpoint.
Enforces information flow policies restricting server-initiated requests to authorized external destinations, preventing access to internal networks via redirects.
Deploys boundary protections like firewalls or WAFs to monitor and block unauthorized outbound requests from the application to internal services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web endpoint (proxy.php) directly matches T1190 for initial exploitation; explicit support for reaching cloud metadata endpoints enables T1522 and associated credential retrieval via T1552.005.
NVD Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location…
more
header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
Deeper analysisAI
CVE-2026-33039 is a server-side request forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform, in versions 25.0 and below. The issue resides in the plugin/LiveLinks/proxy.php endpoint, which validates user-supplied URLs against internal or private networks using the isSSRFSafeURL() function. However, this validation applies only to the initial URL; if the initial URL responds with an HTTP redirect via a Location header, the redirect target is subsequently fetched using fakeBrowser() without re-validation, enabling access to internal services such as cloud metadata endpoints or RFC1918 addresses.
The vulnerability can be exploited by any unauthenticated attacker over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). By supplying a malicious initial URL that passes validation but redirects to an internal target under attacker control, exploitation allows the server to make unauthorized requests to protected resources, resulting in high confidentiality impact through data disclosure from internal networks.
The vulnerability, tracked under CWE-918 (Server-Side Request Forgery), has been addressed in AVideo version 26.0. Security practitioners should upgrade to this patched version. Detailed fix information is available in the commit at https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917 and the GitHub Security Advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw.
Details
- CWE(s)