← back
CVE-2026-45619

AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post

CVSS 6.5 MEDIUMEPSS 0.1%CWE-367CWE-918
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected products
WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwr