CVE-2026-33024
AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
| CWE | CWE-918 |
| Vendor | wwbn |
| Product | avideo-encoder |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Get instant alerts for wwbn avideo-encoder
Be the first to know when new unknown vulnerabilities affecting wwbn avideo-encoder are published โ delivered to Slack, Telegram or Discord.