CVE-2026-43884

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0

Description Two endpoints, 'plugin/AI/receiveAsync.json.php' and 'objects/EpgParser.php', use the isSSRFSafeURL() function to validate user-supplied URLs but then fetch them using file get contents() without disabling automatic redirect following. This allows an attacker to provide a URL that redirects to an internal or cloud-metadata address (such as 'http://169.254.169.254/latest/meta-data/'), bypassing SSRF protections because only the initial URL is validated. This can lead to the exfiltration of IAM credentials, instance identity, or access to internal services and port scanning.

Additionally, several callers of isSSRFSafeURL() discard the $resolvedIP parameter intended for DNS pinning, making them susceptible to DNS rebinding TOCTOU (Time-of-Check to Time-of-Use) attacks. This occurs when a domain's DNS record changes between the time of validation and the time of the actual request. Affected callers include:

Recommendations Update AVideo to a version later than 29.0. As a temporary workaround, restrict access to the 'plugin/AI/receiveAsync.json.php' and 'objects/EpgParser.php' endpoints to minimize the risk of redirect-based SSRF.