CVE-2026-33039
published 2026-03-20CVE-2026-33039: WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against…
PriorityP352high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.45%
36.1th percentile
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | < 26.0 | 26.0 |
| wwbn | avideo | 0 – 25.0 | — |
| wwbn | avideo | 0 – 29.0 | — |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
ghsa8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
ghsa·2026-04-14·CVSS 8.6
CVE-2026-33039 [HIGH] CWE-918 WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
### Summary
The incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.
### Affected Package
- **Ecosystem:** Other
- **Package:** AVideo
- **Affected versions:** = commit 0e56382921fc71e64829cd1ec35f04e338c70917
### Details
The `plugin/LiveLinks/proxy.php` endpoint proxies live stream URLs. The fix adds `isSSRFSafeURL()` check on the initial URL, redirect URL validation, and `follow_location=0` in the `get_headers()` context. However, multiple DNS TOCTOU vulnerabilities remain.
For the initial URL, `isSSRFSafeURL()` resolves DNS once for validation, but `
OSV
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
osv·2026-03-17
CVE-2026-33039 [HIGH] AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
## Summary
The `plugin/LiveLinks/proxy.php` endpoint validates user-supplied URLs against internal/private networks using `isSSRFSafeURL()`, but only checks the initial URL. When the initial URL responds with an HTTP redirect (`Location` header), the redirect target is fetched via `fakeBrowser()` without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect.
## Affected Component
- `plugin/LiveLinks/proxy.php` — lines 38-42 (redirect handling without SSRF re-validation)
- `objects/functionsBrowser.php` — `fakeBrowser()` (line 123, raw cURL fetch with no SSRF protections)
## Description
### Missing SSRF re-validation a
GHSA
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
ghsa·2026-03-17
CVE-2026-33039 [HIGH] CWE-918 AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
## Summary
The `plugin/LiveLinks/proxy.php` endpoint validates user-supplied URLs against internal/private networks using `isSSRFSafeURL()`, but only checks the initial URL. When the initial URL responds with an HTTP redirect (`Location` header), the redirect target is fetched via `fakeBrowser()` without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect.
## Affected Component
- `plugin/LiveLinks/proxy.php` — lines 38-42 (redirect handling without SSRF re-validation)
- `objects/functionsBrowser.php` — `fakeBrowser()` (line 123, raw cURL fetch with no SSRF protections)
## Description
### Missing SSRF re-validation a
No detection rules found.
No public exploits indexed.
2026-03-20
Published