SSRF in Wwbn Avideo-encoder

CVE-2026-33024

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, ba…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (10.3th percentile) — read the EPSS interpretation.

Affected products

Wwbn Avideo-encoder — versions < 8.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-h9gh-866r-6vgq (x_refsource_CONFIRM)
https://github.com/WWBN/AVideo-Encoder/commit/f9df098534a0e05fd431e771ac9d70f0f36f1c06 (x_refsource_MISC)