Plateforme
php
Composant
wwbn/avideo
Corrigé dans
26.0.1
25.0.1
CVE-2026-33039 describes a Server-Side Request Forgery (SSRF) vulnerability within the plugin/LiveLinks/proxy.php endpoint of wwbn/avideo. This flaw allows attackers to bypass URL validation by exploiting HTTP redirects, potentially granting access to internal services and sensitive data. The vulnerability affects versions of wwbn/avideo up to and including 25.0, and a fix is available in version 26.0.
The SSRF vulnerability in wwbn/avideo allows an attacker to craft a malicious URL that, after an HTTP redirect, points to an internal resource. The isSSRFSafeURL() function only validates the initial URL, failing to re-validate the redirect target. This enables access to internal services that would otherwise be inaccessible from the outside, such as cloud metadata endpoints (e.g., AWS EC2 instance metadata) and resources on RFC1918 private networks. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if internal services are vulnerable. The blast radius extends to any internal service reachable via HTTP, potentially impacting the entire internal network.
This vulnerability was publicly disclosed on 2026-03-17. Currently, there are no known active campaigns targeting this specific SSRF vulnerability. The presence of an HTTP redirect bypass is a common SSRF exploitation pattern, similar to vulnerabilities seen in other web applications. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's ease of exploitation suggests that it could become a target for opportunistic attackers.
Organizations using wwbn/avideo version 25.0 or earlier, particularly those with cloud deployments or internal services accessible via HTTP, are at significant risk. Shared hosting environments where multiple users share the same wwbn/avideo instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• php:
grep -r 'fakeBrowser()' /path/to/wwbn/avideo/plugin/LiveLinks/• generic web:
curl -I 'http://your-avideo-server/plugin/LiveLinks/proxy.php?url=http://evil.com/redirect' | grep 'Location:'• generic web:
grep -r 'isSSRFSafeURL()' /path/to/wwbn/avideo/disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-33039 is to upgrade to wwbn/avideo version 26.0 or later, which includes the necessary URL validation fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious redirects or to restrict access to the plugin/LiveLinks/proxy.php endpoint. Additionally, restrict network access to the wwbn/avideo server to only necessary ports and IP addresses. Monitor access logs for unusual outbound requests originating from the plugin/LiveLinks/proxy.php endpoint. After upgrading, confirm the fix by attempting to access an internal resource via a crafted URL with an HTTP redirect; the request should be blocked.
Actualice AVideo a la versión 26.0 o superior. Esta versión corrige la vulnerabilidad SSRF en el plugin LiveLinks, evitando que atacantes puedan acceder a servicios internos a través de redirecciones HTTP controladas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33039 is a HIGH severity SSRF vulnerability affecting wwbn/avideo versions 25.0 and below. It allows attackers to bypass URL validation via HTTP redirects, potentially accessing internal services.
You are affected if you are using wwbn/avideo version 25.0 or earlier. Upgrade to version 26.0 to mitigate the vulnerability.
Upgrade to wwbn/avideo version 26.0 or later. As a temporary workaround, implement a WAF rule to block suspicious redirects.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33039.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.