Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
14.3.1
26.0.1
CVE-2026-33766 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in wwbn/avideo versions up to 26.0. This flaw allows attackers to bypass SSRF protection mechanisms by manipulating HTTP redirects, potentially granting access to internal resources. While a direct fix is pending, understanding the vulnerability and implementing temporary mitigations is crucial for protecting your systems.
The SSRF vulnerability in wwbn/avideo arises from a discrepancy between the validation and execution phases of URL handling. The isSSRFSafeURL() function attempts to validate URLs against private/reserved IP ranges before fetching content. However, the urlgetcontents() function, which uses filegetcontents() with default redirect following enabled, does not re-validate the redirect target. An attacker can exploit this by crafting a request that redirects from a publicly accessible URL to an internal resource, effectively bypassing the initial validation check. This could lead to unauthorized access to sensitive internal data, services, or even the execution of commands on internal systems if those services are vulnerable. The blast radius depends on the internal services accessible via SSRF.
CVE-2026-33766 was publicly disclosed on 2026-03-26. Currently, there is no indication of active exploitation or a listing on CISA KEV. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that POCs will emerge. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
Given that a direct patch is not yet available, several mitigation strategies can be employed. First, implement a Web Application Firewall (WAF) or reverse proxy to filter out requests containing suspicious redirects. Configure the WAF to block requests with excessive redirects or those targeting internal IP addresses. Secondly, disable HTTP redirects within the urlgetcontents() function if possible, or implement custom redirect validation logic. Finally, carefully review and restrict the permissions of the user account running the wwbn/avideo application to minimize the potential impact of a successful SSRF attack. After implementing these mitigations, verify their effectiveness by attempting to trigger the SSRF vulnerability with a controlled redirect.
Update AVideo to a version later than 26.0. The vulnerability is fixed in commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12. This will prevent SSRF bypass via HTTP redirects.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33766 is an SSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to bypass SSRF protection via HTTP redirects and potentially access internal resources.
You are affected if you are using wwbn/avideo version 26.0 or earlier. Assess your environment to determine if you are using this component.
Upgrade to a patched version of wwbn/avideo when available. Until then, implement WAF rules, disable redirects, and restrict user permissions.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the wwbn/avideo project's official website or repository for updates and advisories regarding CVE-2026-33766.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.