CVE-2026-33294: AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources

March 19, 2026

The BulkEmbed plugin’s save endpoint (plugin/BulkEmbed/save.json.php) fetches user-supplied thumbnail URLs via url_get_contents() without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with isSSRFSafeURL(), this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-66cw-h2mj-j39p
github.com/advisories/GHSA-66cw-h2mj-j39p
nvd.nist.gov/vuln/detail/CVE-2026-33294

Code Behaviors & Features

Detect and mitigate CVE-2026-33294 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →