Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned by the same attacker) donates even a trivial amount via plugin/CustomizeUser/donate.json.php, the AVideo server issues a curl POST to the attacker-supplied URL, resulting in a blind SSRF. The handler uses only isValidURL() (which is a format check) and does not call the codebase's own isSSRFSafeURL() helper. Additionally, CURLOPT_FOLLOWLOCATION is enabled with no per-hop revalidation, so even if the stored URL were validated, an HTTP 307 from an attacker-controlled host could redirect the POST to internal targets. Commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9 contains an updated fix.
Published: 2026-05-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can configure a donation‑notification webhook URL that points to an internal or loopback address. When another user donates, the AVideo server performs a curl POST to this unvalidated URL, enabling the attacker to send requests to otherwise inaccessible internal services. The weakness is a blind SSRF, defined by CWE‑918: an attacker can trigger internal network traffic without receiving any response data back. The impact is limited to the ability to reach internal hosts, potentially exposing configuration, credentials, or other sensitive internal information.

Affected Systems

WWBN AVideo, versions up to 29.0. The vulnerability exists across all installations of AVideo before the fix commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, and the EPSS score is not available, so the exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to create an authenticated account to set a malicious webhook, then have or create a second account to trigger a donation. Both conditions are achievable in compromised or shared environments, making the risk moderate. The attacker can target internal metadata or services like 127.0.0.1, 169.254.169.254, or other RFC1918 ranges; redirect bypass via CURLOPT_FOLLOWLOCATION further increases reach.

Generated by OpenCVE AI on May 11, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 29.0 that includes commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9.
  • Restrict the ability to set donation webhook URLs to administrators or impose a validation that calls isSSRFSafeURL() before acceptance.
  • Disable or enforce strict validation of CURLOPT_FOLLOWLOCATION to prevent redirection to internal targets.
  • Monitor outbound curl POST requests for unexpected internal destinations to detect abuse.

Generated by OpenCVE AI on May 11, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wp38-whx3-xffh AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned by the same attacker) donates even a trivial amount via plugin/CustomizeUser/donate.json.php, the AVideo server issues a curl POST to the attacker-supplied URL, resulting in a blind SSRF. The handler uses only isValidURL() (which is a format check) and does not call the codebase's own isSSRFSafeURL() helper. Additionally, CURLOPT_FOLLOWLOCATION is enabled with no per-hop revalidation, so even if the stored URL were validated, an HTTP 307 from an attacker-controlled host could redirect the POST to internal targets. Commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9 contains an updated fix.
Title WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:36:34.210Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43879

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:12.390

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses