CVE-2026-33039

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 25.0 and below

Description WWBN AVideo is an open source video platform. Versions 25.0 and below have an issue in the 'plugin/LiveLinks/proxy.php' endpoint where user-supplied URLs are validated against internal/private networks using isSSRFSafeURL(), but only the initial URL is checked. If the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation. This allows an attacker to access internal services, including cloud metadata and RFC1918 addresses, through a redirect controlled by the attacker. The fakeBrowser() function performs a raw cURL GET request without any URL validation, making it susceptible to Server-Side Request Forgery (SSRF). The endpoint is unauthenticated, requiring only network access to the AVideo instance. The issue involves two SSRF requests: one during header retrieval and another when fetching the full response body. An attacker can exploit this to expose cloud metadata, scan internal networks, and potentially exfiltrate data from internal services.

Recommendations Versions 25.0 and below: Re-validate the redirect target with isSSRFSafeURL() before fetching it. Versions 25.0 and below: Disable redirect following in get headers() by adding follow location to the stream context.