This vulnerability exists in the image download endpoints of the WWBN AVideo platform. The server performs an SSRF check through the isSSRFSafeURL() function, which rejects URLs pointing to private or reserved IP ranges. However, the subsequent call to url_get_contents() blindly follows HTTP redirects without re‑applying the check. Consequently, an attacker can supply a public URL that redirects to an internal target, allowing the server to fetch internal resources. The flaw permits unauthorized access to internal services and data, constituting an internal resource disclosure via SSRF. It is classified as CWE‑918, which describes server‑side request forgery that bypasses network restrictions.

All versions of WWBN AVideo up to and including 26.0 are affected. The patch commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 removes the vulnerability. Users should upgrade to any version newer than 26.0 or apply this specific patch to ensure the SSRF guard is enforced properly.

The CVSS score of 5.3 denotes a medium severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a remote attacker crafting a specially crafted HTTP request to the image download endpoint that contains a redirect to an internal IP address. The exploit requires only network access to the web application and does not rely on privileged authentication, making it potentially reachable from the open internet.