CVE-2026-45619 - Vulnerability Details

- AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.

Published: 2026-05-29

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In AVideo version 29.0 and earlier, several request handlers omit the resolvedIP output of isSSRFSafeURL, meaning DNS pinning via CURLOPT_RESOLVE does not occur. This oversight creates a TOCTOU window that allows an attacker to trick the server into resolving a domain to an internal IP address. If successful, the attacker can instruct the server to make HTTP requests to private resources, bypassing normal access controls.

Affected Systems

The affected product is WWBN AVideo, specifically releases 29.0 and older. Files such as EpgParser.php, plugin/AI/receiveAsync.json.php, and other relevant code paths are impacted. Any instance running these versions is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is not available, so the exploitation likelihood is uncertain, and the vulnerability is not currently listed in CISA KEV. Attackers would need to control a domain they can resolve to an internal IP and target the application’s request handlers; thus the exploit is primarily remote and does not require authentication. Because the flaw enables SSRF to internal services, it carries potential confidentiality or integrity risks for internal data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to version 30.0 or later, where the isSSRFSafeURL call sites correctly forward the resolvedIP parameter for DNS pinning.
If upgrading is not immediately possible, enforce DNS pinning manually by validating resolved IP addresses against a whitelist of allowed external ranges before sending requests.
Restrict outbound HTTP requests from the application to known external hostnames or block internal IP ranges via firewall or network segmentation.

Generated by OpenCVE AI on May 29, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c3ch-22rq-xfwr	AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00136.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwr

History

Mon, 01 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Fri, 29 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Fri, 29 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.
Title		AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post
Weaknesses		CWE-367 CWE-918
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwr
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T13:11:37.401Z

Updated: 2026-05-29T14:02:31.384Z

Reserved: 2026-05-12T20:31:43.448Z

Link: CVE-2026-45619

Vulnrichment

Updated: 2026-05-29T14:02:27.033Z

NVD

Status : Analyzed

Published: 2026-05-29T14:16:30.980

Modified: 2026-06-01T18:40:21.603

Link: CVE-2026-45619

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses

CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object