Medium severity6.5GHSA Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-45619
CVE-2026-45619
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WWBN/AVideoPackagist | <= 29.0 | — |
Affected products
3Patches
Vulnerability mechanics
References
4- github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwrnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-2hch-c97c-g99xghsaADVISORY
- github.com/advisories/GHSA-c3ch-22rq-xfwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45619ghsaADVISORY
News mentions
1- WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCEVypr Intelligence · May 29, 2026