CVE-2026-43884

HIGH 7.7

WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

8th

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.

CWE	CWE-918
Vendor	wwbn
Product	avideo
Published	May 11, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new high vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

WWBN / AVideo

<= 29.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99x github.com: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3 github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xg