CVE-2026-45619

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description Certain components, including EpgParser.php and plugin/AI/receiveAsync.json.php, fail to utilize the $resolvedIP out-parameter of the isSSRFSafeURL() function for DNS pinning via CURLOPT RESOLVE. This oversight creates a Time-of-Check to Time-of-Use (TOCTOU) condition, which allows for DNS rebinding attacks. DNS rebinding is a technique used to bypass security restrictions by changing the IP address associated with a domain name between the time the application validates the address and the time it actually accesses the resource.

Recommendations Update to a version where EpgParser.php and plugin/AI/receiveAsync.json.php are patched to use redirect-safe methods or correctly implement DNS pinning using the $resolvedIP parameter with CURLOPT RESOLVE.