Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
Published: 2026-04-21
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Access via Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

AVideo versions up to 29.0 contain an incomplete protection for Server‑Side Request Forgery (CWE‑918) in its LiveLinks proxy. The mitigation added an isSSRFSafeURL() filter but did not address the DNS Time‑of‑Check to Time‑of‑Use flaw, allowing an attacker to perform DNS rebinding between the safe‑URL check and the actual request. This enables the attacker to cause the proxy to resolve a name that initially appears safe but later resolves to an internal IP or hostname, thereby giving the attacker access to internal resources or services exposed only within the infrastructure.

Affected Systems

The vulnerability affects the open‑source video platform WWBN AVideo, specifically all releases 29.0 and earlier. Versions updated with commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contain the corrected protection.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity for this SSRF flaw. No EPSS score is published, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the LiveLinks proxy endpoint; an attacker can trigger internal requests if the proxy is reachable from the Internet or from compromised internal hosts.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a release that includes commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 or later, which corrects the DNS TOCTOU flaw.
  • Disable or remove the LiveLinks proxy feature if it is not required for the deployment.
  • Restrict the proxy to a whitelist of trusted external hosts and enforce strict DNS validation to mitigate SSRF attempts.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
Title AVideo has an incomplete fix for CVE-2026-33039 (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T22:35:27.054Z

Reserved: 2026-04-16T16:43:03.172Z

Link: CVE-2026-41055

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:20.707

Modified: 2026-04-21T23:16:20.707

Link: CVE-2026-41055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses