Server-Side Request Forgery Vulnerability in AVideo Video-Sharing Platform
CVE-2026-33024

9.3CRITICAL

Key Information:

Vendor: Wwbn
Status: Avideo-encoder
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33024?

AVideo, a popular video-sharing platform, has a vulnerability associated with its public thumbnail endpoints (getImage.php and getImageMP4.php) in versions prior to 8.0. This vulnerability allows for Server-Side Request Forgery (SSRF), where an attacker can manipulate the base64Url GET parameter. The inadequate validation only ensures the URL is syntactically correct and begins with http(s)://, failing to prevent access to potentially sensitive internal resources, such as AWS or local address metadata. Although the server does not directly return the response, attackers can infer information via timing differences and error logs. The issue has been rectified in version 8.0.

Affected Version(s)

AVideo-Encoder < 8.0

References

https://github.com/WWBN/AVideo-Encoder/security/advisorie...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33024 Data

JSON

Wwbn

What is CVE-2026-33024?

Affected Version(s)

References

CVSS V4

Timeline