← back
CVE-2026-43884

WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

CVSS 7.7 HIGHEPSS 0.3%CWE-918
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.7EPSS 0.3%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
11 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
WWBN · AVideo
public PoCs found1
cve_referencegithub.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xgunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xhttps://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xg