Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WWBN AVideo’s isSSRFSafeURL() function fails to validate redirects, permitting an attacker to supply a URL that the application will follow to an internal endpoint, such as the instance’s cloud‑metadata service. An attacker can leverage this to retrieve data that should be protected, potentially exposing infrastructure details and privileged information. The weakness is a classic SSRF flaw that can lead to data exfiltration and further internal compromise.

Affected Systems

The flaw is present in WWBN AVideo versions up to and including 29.0. Users running these or older releases are at risk until the fix from commit 603e7bf77a835584387327e35560262feb075db3 is applied or a newer version is installed.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact vulnerability; the EPSS score is not available, and it is not in CISA’s KEV catalog, but the lack of mitigation in the affected releases makes exploitation straightforward. The likely attack path involves an unauthenticated or authenticated user submitting a malicious URL to the vulnerable endpoints (plugin/AI/receiveAsync.json.php or objects/EpgParser.php). The application then follows a 302 redirect to a target such as http://169.254.169.254/latest/meta-data/ and re‑retrieves the payload without re‑applying SSRF checks. This enables access to internal services that are normally inaccessible from the public internet.

Generated by OpenCVE AI on May 11, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo 30.0 or newer, which contains the commit that properly validates redirect targets and disables automatic redirect following or otherwise sanitizes the target URL.
  • If an upgrade cannot be performed immediately, restrict the affected endpoints to trusted IP ranges or disable them entirely until a patch is applied.
  • Implement server‑side redirect checks that enforce a whitelist of allowed target hosts or disallow redirects for SSRF‑protected URLs at application level.

Generated by OpenCVE AI on May 11, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2hch-c97c-g99x AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.
Title WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:22:09.796Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43884

cve-icon Vulnrichment

Updated: 2026-05-12T13:21:58.033Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:13.073

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses