Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-43884
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-11 May, 2026 | 20:44
Updated At-12 May, 2026 | 13:22
Rejected At-
▼CVE Numbering Authority (CNA)
WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.

Affected Products
Vendor
WWBN
Product
AVideo
Versions
Affected
  • <= 29.0
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99x
x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3
x_refsource_MISC
Hyperlink: https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99x
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xg
exploit
Hyperlink: https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xg
Resource:
exploit
Details not found