Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.
Published: 2026-04-21
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote server access via SSRF leading to potential data exfiltration
Action: Immediate Patch
AI Analysis

Impact

An SSRF weakness exists in the AVideo web platform in versions 29.0 and earlier. The isSSRFSafeURL() function performs a same‑domain short‑circuit that only compares the hostname against webSiteRootURL and ignores the port. Consequently, an attacker can craft a URL that uses the site's public hostname but a non‑standard port, causing the application to treat the request as internal. The response body is then written to a location accessible through the web server, allowing the attacker to exfiltrate arbitrary data. This flaw is a classic SSRF flaw (CWE‑918) that can lead to data disclosure and other server‑side attacks.

Affected Systems

The affected product is the open‑source video platform AVideo, developed by WWBN. All releases up to version 29.0 contain this vulnerability. No version numbers beyond 29.0 are known to be affected; the fix is included in commit a0156a6398362086390d949190f9d52a823000ba, which should be applied to any installation running an affected version.

Risk and Exploitability

With a CVSS score of 7.7, this vulnerability carries a high severity rating. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is a web request from an attacker‑controlled source that uses the legitimate hostname with a non‑standard port. If the attacker can reach the exposed port, the response will be stored on the public file system, enabling complete exfiltration. The presence of an SSRF back‑doored function implies that exploitation could be automated and is therefore a high operational risk for any deployed instance that exposes non‑standard ports or does not strictly validate the full host:port pair.

Generated by OpenCVE AI on April 22, 2026 at 06:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch from commit a0156a6398362086390d949190f9d52a823000ba to correct the hostname‑only check in isSSRFSafeURL().
  • If the patch cannot be applied immediately, block non‑standard ports at the perimeter firewall or web‑server configuration so that only the default HTTP/HTTPS ports are reachable from external hosts.
  • Configure the application or infrastructure to reject any upstream request that targets the same domain with a different port, enforcing full host:port validation to prevent the same‑domain SSRF bypass.

Generated by OpenCVE AI on April 22, 2026 at 06:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.
Title AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:02:06.458Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41060

cve-icon Vulnrichment

Updated: 2026-04-22T14:01:50.083Z

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:21.250

Modified: 2026-04-22T14:17:03.853

Link: CVE-2026-41060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses