CVE-2026-33237 - Vulnerability Analysis
MediumCVSS: 5.5Last Updated: March 23, 2026
WWBN AVideo - Server Side Request Forgery
Published: March 21, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo < 26.0 contains a server side request forgery caused by insufficient validation of admin-configurable callbackURL in Scheduler plugin, letting attackers perform SSRF to internal network endpoints, exploit requires admin configuration.
Severity & Score
Severity: Medium
CVSS Score: 5.5
Impact
An attacker with admin access can perform SSRF to internal or cloud metadata endpoints, potentially exposing sensitive internal data or services.
Mitigation
Upgrade to version 26.0 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-33237
- Severity
- Medium
- CVSS Score
- 5.5
- Type
- server_side_request_forgery
- Status
- confirmed
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N