プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0
CVE-2026-33237 describes a Server-Side Request Forgery (SSRF) vulnerability within the Scheduler plugin of the wwbn/avideo project. This flaw allows an attacker to craft a malicious callbackURL that bypasses inadequate validation, enabling unauthorized access to internal network resources. The vulnerability impacts versions of wwbn/avideo up to 25.0, and a fix is available in version 26.0.
The SSRF vulnerability in wwbn/avideo's Scheduler plugin allows an attacker with administrative privileges to trigger requests to arbitrary internal or external URLs. By configuring a malicious callbackURL, an attacker can potentially access sensitive data residing on internal servers, interact with internal APIs, or even perform actions on behalf of the application. This could lead to data breaches, privilege escalation, and disruption of services. The lack of proper validation on the callbackURL mirrors previous SSRF vulnerabilities in AVideo, highlighting a recurring security concern.
CVE-2026-33237 was published on March 19, 2026. Exploitation probability is currently considered medium, given the requirement for administrative access and the need to configure a malicious scheduled task. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that one will emerge. The vulnerability shares similarities with previously disclosed SSRF flaws in AVideo, suggesting potential for automated exploitation.
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33237 is to upgrade to wwbn/avideo version 26.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to potentially malicious URLs based on patterns identified in the callbackURL. Additionally, restrict network access to the AVideo server to only allow necessary outbound connections. After upgrading, verify the fix by attempting to configure a scheduled task with a callbackURL pointing to an internal resource; the request should be blocked.
Actualice el plugin Scheduler de AVideo a la versión 26.0 o superior. Esta versión incluye una validación adecuada (`isSSRFSafeURL()`) para la URL de callback, previniendo así ataques de SSRF.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33237 is a Server-Side Request Forgery (SSRF) vulnerability in the wwbn/avideo Scheduler plugin, allowing attackers to make unauthorized requests through the application.
You are affected if you are running wwbn/avideo versions 25.0 or earlier. Check your version using ./avideo --version.
Upgrade to wwbn/avideo version 26.0 or later. If immediate upgrade is not possible, implement WAF rules to block malicious URLs.
There are currently no reports of active exploitation, but the vulnerability's nature suggests potential for automated attacks.
Refer to the official wwbn/avideo security advisory for CVE-2026-33237 on their project website or GitHub repository.