AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-66cw-h2mj-j39p: AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 19, 2026CVE-2026-33294

Summary

The BulkEmbed plugin in AVideo has an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into making requests to internal networks) in its thumbnail-fetching code. An authenticated user can supply a malicious URL that forces the server to fetch data from internal resources like cloud metadata services, and the response is saved as a publicly viewable image thumbnail, allowing the attacker to read sensitive information.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

March 19, 2026

Classification

Attack SophisticationModerate

Affected Packages

wwbn/avideo@<= 25.0

Original source: https://github.com/advisories/GHSA-66cw-h2mj-j39p

First tracked: March 19, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%