CVE 8.6 HIGH

AVideo has an incomplete fix for CVE-2026-33039 (SSRF)_CVE-2026-41055

April 21, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

AI Analysis

Incomplete SSRF fix in AVideo's LiveLinks proxy, allowing DNS rebinding and traffic redirection to internal endpoints

Basic Information

ID CVE-2026-41055

Source GitHub_M

Published Apr 21, 2026 at 22:25

Modified Apr 21, 2026 at 22:35

Affected Product

Vendor WWBN

Product AVideo

Version < 26.0

Affected Versions WWBN AVideo < 26.0

CWE Classification

CWE-918

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor WWBN

Product AVideo

Version < 26.0

References

{
    "lastseen": "",
    "description": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.",
    "published": "2026-04-21T22:25:45.488Z",
    "modified": "2026-04-21T22:35:27.054Z",
    "type": "cve",
    "title": "AVideo has an incomplete fix for CVE-2026-33039 (SSRF)",
    "source": "GitHub_M",
    "references": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp\nhttps://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw\nhttps://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917\nhttps://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8",
    "id": "CVE-2026-41055",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "WWBN AVideo < 26.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AVideo",
    "version": "< 26.0",
    "vendor": "WWBN",
    "ai_description": "Incomplete SSRF fix in AVideo's LiveLinks proxy, allowing DNS rebinding and traffic redirection to internal endpoints",
    "ai_severity": "High",
    "ai_vendor": "WWBN",
    "ai_product": "AVideo",
    "ai_version": "< 26.0",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply