Medium severity6.5NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33766
CVE-2026-33766
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, isSSRFSafeURL() validates URLs against private/reserved IP ranges before fetching, but url_get_contents() follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/8b7e9dad359d5fac69e0cbbb370250e0b284bc12nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-f359-r3pv-2phfnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-f359-r3pv-2phfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33766ghsaADVISORY
News mentions
0No linked articles in our index yet.