MEDIUM 6.5

CVE-2026-45619: WWBN AVideo DNS-Rebinding SSRF Vulnerability

WWBN AVideo, an open-source video hosting platform, contains a DNS-rebinding vulnerability in its Server-Side Request Forgery (SSRF) protections. When the application checks whether a URL is safe to fetch, it validates the domain name but then makes the actual network request without

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-367, CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in EpgParser.php, the AI plugin's receiveAsync.json.php, and related code paths. These components invoke isSSRFSafeURL() to validate remote URLs but fail to use the $resolvedIP output parameter for DNS pinning. The absence of CURLOPT_RESOLVE in curl requests creates a Time-of-Check-Time-of-Use (TOCTOU) window: an attacker can serve a benign IP during validation, then pivot the DNS response to a private/restricted address (169.254.x.x, 127.0.0.1, internal subnets) before the actual request executes. This permits attackers to scan or interact with internal services, cloud metadata endpoints, or local resources that should be blocked.

Business impact

An attacker on the internet can exploit this flaw to access internal systems, retrieve cloud metadata credentials (AWS/Azure/GCP), or trigger actions against local services—all without authentication. In multi-tenant SaaS deployments or shared hosting, this escalates to lateral movement and data exfiltration. Video platforms often integrate with external APIs, CDNs, and webhooks; compromised SSRF protection undermines the security model for those integrations. Affected organizations face credential compromise, unauthorized API calls, and potential lateral movement into backend infrastructure.

Affected systems

WWBN AVideo version 29.0 and all earlier versions are vulnerable. The issue affects self-hosted and managed deployments. Any installation performing remote content fetching (EPG parsing, AI plugin operations, webhook handling, or external media imports) is at risk if exposed to internet traffic or untrusted users.

Exploitability

Exploitation requires network access but no authentication. An attacker must control or compromise a DNS server that responds to the target's queries—or perform DNS cache poisoning or local MITM attacks. The CVSS vector (AC:H) reflects the DNS control requirement, elevating the attack complexity. However, in environments where the attacker can influence DNS (compromised ISP, corporate network, cloud VPC), exploitation is straightforward and repeatable. Public PoC code for DNS-rebinding is mature and widely available.

Remediation

Upgrade to a patched version of WWBN AVideo released after version 29.0. The patch must enforce DNS pinning by capturing the resolved IP address during SSRF validation and passing it to CURLOPT_RESOLVE to lock all subsequent requests to that IP. Verify the patch is applied to all code paths that call isSSRFSafeURL(). Until patching, restrict network access to the application (firewall rules, VPN-only), disable external URL fetching features if possible, and implement egress filtering to block connections to private/reserved IP ranges and metadata endpoints.

Patch guidance

Check the official WWBN AVideo releases and security advisories at their GitHub repository or website for version 30.0 or later with SSRF remediation. Apply the patch to both primary application code and any enabled plugins (especially the AI plugin). If patches are unavailable or delayed, apply network-layer controls: configure WAF rules to reject requests targeting internal IPs, and use egress firewalls to prevent connections to 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and cloud metadata endpoints (169.254.169.254, metadata.google.internal).

Detection guidance

Monitor application logs for repeated or anomalous outbound requests to internal IP ranges, cloud metadata endpoints, or localhost. Look for HTTP requests with Host headers pointing to private subnets. Implement DNS query logging to detect rebinding patterns (same domain resolving to different IPs within short intervals). Use IDS/IPS rules to flag outbound connections to reserved ranges initiated by the web application. Review curl or HTTP client logs for CURLOPT_RESOLVE usage; its absence in patched versions would be suspicious.

Why prioritize this

This vulnerability merits prompt patching despite CVSS 6.5 (Medium) because: (1) SSRF is a foundational control for secure integrations; its compromise opens the door to credential theft and lateral movement; (2) the flaw affects core functionality (EPG parsing, plugin operations) in video platforms commonly exposed to the internet; (3) DNS-rebinding attacks are mature, low-friction for motivated attackers; (4) cloud deployments amplify risk due to metadata endpoint exposure. Organizations running internet-facing AVideo instances should prioritize this within their patch windows.

Risk score, explained

CVSS 6.5 reflects a network-accessible, low-privilege attack with high confidentiality impact (access to internal resources and credentials) and low integrity impact (potential for limited action-based attacks). The AC:H (Attack Complexity High) acknowledges the DNS control requirement, preventing a Critical rating. However, in real-world scenarios where DNS can be influenced (ISP compromise, internal network attackers, shared DNS infrastructure), the actual exploitability is higher than the score suggests. Organizations should weigh their network topology and threat model accordingly.

Frequently asked questions

Does this vulnerability require authentication to exploit?

No. Exploitation requires no credentials; the attacker must only control or influence DNS resolution seen by the AVideo server. Typically, this means compromising the ISP's DNS, poisoning the network's DNS cache, or executing a MITM attack on a shared network segment.

Can I mitigate this without patching?

Partially. Network-layer controls (firewall egress rules blocking private IPs, WAF rules rejecting internal targets, VPN-only access) reduce risk. However, these do not fully close the DNS-rebinding window. Patching is the definitive fix. Disabling external URL fetching features (if the deployment allows) provides the strongest interim protection.

What is DNS pinning and why does this vulnerability lack it?

DNS pinning means resolving a hostname to an IP address once, then forcing all subsequent connections (including the actual HTTP request) to use that same IP. This prevents an attacker from changing the DNS answer between validation and execution. AVideo's code validates the domain name but does not use CURLOPT_RESOLVE to pin the IP, allowing a rebinding attack.

Is this vulnerability in the CISA KEV catalog?

No, as of the last update, this CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog, indicating no observed in-the-wild exploitation has been reported to CISA. However, the absence from KEV does not mean attacks are not occurring; it reflects the lag in reporting and confirmation.

This analysis is provided for informational and defensive purposes. Organizations should consult official vendor advisories and apply patches according to their change management processes. This explainer does not constitute legal, compliance, or official vendor guidance. Verify all patch version numbers and release notes directly from WWBN's official sources before deployment. Test patches in a non-production environment first. SEC.co does not provide exploit code or weaponized attack guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).