CVE-2026-41060

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description The isSSRFSafeURL() function in objects/functions.php contains a same-domain shortcircuit that allows any URL with a hostname matching webSiteRootURL to bypass Server-Side Request Forgery (SSRF) protections. SSRF is a flaw where an attacker can force a server to make requests to an unintended location. Because the validation process only checks the hostname and ignores the port, an attacker can access arbitrary ports on the server by using the public hostname with a non-standard port. The response body is then saved to a web-accessible path, allowing for full data exfiltration.

Recommendations Update to a version that includes commit a0156a6398362086390d949190f9d52a823000ba. As a temporary workaround, consider restricting access to the isSSRFSafeURL() function until the update is applied.