Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

A video hosting platform contains a proxy endpoint that accepts a user‑supplied URL and forwards the request to that URL. The code validates the initial URL for internal network addresses but does not re‑validate the URL after following an HTTP redirection. This allows an attacker to supply a URL that first redirects to an internal or cloud metadata endpoint, which is then fetched by the proxy unfiltered, giving the attacker access to internal resources without authentication. The primary impact is the ability to exfiltrate internal data or craft requests to internal services, compromising confidentiality and potentially enabling further attacks.

Affected Systems

The flaw exists in the WWBN AVideo platform, specifically in versions 25.0 and older within the LiveLinks/proxy.php endpoint. The vulnerability was addressed in version 26.0, where each redirection is validated against internal addresses.

Risk and Exploitability

The vulnerability is scored 8.6 on the CVSS metric and has an EPSS likelihood of less than 1 %. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must send a request to the proxy endpoint, which is typically reachable from any network that can reach the web application. An unauthenticated attacker can thus exploit this flaw to reach internal services and potentially compromise infrastructure. The risk is significant due to the high CVSS score, but the low EPSS suggests that widespread exploitation is currently unlikely.

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to version 26.0 or later, where the redirect check is applied
  • Confirm that the proxy endpoint no longer follows redirects to private IP ranges or cloud metadata URLs
  • Review logs and monitor traffic for abnormal proxy usage that may indicate SSRF attempts

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9x67-f2v7-63rw AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
History

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
Title AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:52:22.947Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33039

cve-icon Vulnrichment

Updated: 2026-03-20T13:52:11.945Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.150

Modified: 2026-03-23T16:22:49.120

Link: CVE-2026-33039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:21Z

Weaknesses