{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T23:52:37.291","vulnerabilities":[{"cve":{"id":"CVE-2026-33294","sourceIdentifier":"security-advisories@github.com","published":"2026-03-22T17:17:09.100","lastModified":"2026-03-24T21:14:36.193","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, el endpoint de guardado del plugin BulkEmbed ('plugin/BulkEmbed/save.json.php') obtiene URLs de miniaturas proporcionadas por el usuario a través de 'url_get_contents()' sin protección SSRF. A diferencia de los otros seis endpoints de obtención de URLs en AVideo que fueron reforzados con 'isSSRFSafeURL()', esta ruta de código fue omitida. Un atacante autenticado puede forzar al servidor a realizar solicitudes HTTP a recursos de red internos y recuperar las respuestas al ver la miniatura del video guardado. La versión 26.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndExcluding":"26.0","matchCriteriaId":"B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/4589a3a089baf4ea439481f5088b38a8aa9c82b6","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}