cbcvebase.
CVE-2026-33039
published 2026-03-20

CVE-2026-33039: WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against…

PriorityP352high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.45%
36.1th percentile
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
wwbnavideo< 26.026.0
wwbnavideo0 – 25.0
wwbnavideo0 – 29.0

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
ghsa8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.