CVE-2026-43884
Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2hch-c97c-g99xghsaADVISORY
- github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3nvd
- github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xnvd
- github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99xgnvd
- nvd.nist.gov/vuln/detail/CVE-2026-43884ghsa
News mentions
1- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026