Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-41055— AVideo has an incomplete fix for CVE-2026-33039 (SSRF)

CVSS 8.6 · High EPSS 0.05% · P15
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-41055

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
AVideo has an incomplete fix for CVE-2026-33039 (SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在代码问题漏洞,该漏洞源于LiveLinks代理中SSRF修复不完整,DNS TOCTOU漏洞可能导致DNS重定向到内部端点。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
WWBNAVideo < 26.0 -

II. Public POCs for CVE-2026-41055

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-41055

登录查看更多情报信息。

Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total

CVE-2026-4091110.0 CRITICALWWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaSc
CVE-2026-410649.3 CRITICALAVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
CVE-2026-409098.7 HIGHWWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W
CVE-2026-409258.3 HIGHWWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo
CVE-2026-410568.1 HIGHAVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable
CVE-2026-410588.1 HIGHAVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo
CVE-2026-410607.7 HIGHAVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
CVE-2026-409267.1 HIGHWWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip
CVE-2026-410577.1 HIGHAVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) t
CVE-2026-409076.5 MEDIUMWWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys
CVE-2026-410626.5 MEDIUMWWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec
CVE-2026-409285.4 MEDIUMAVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr
CVE-2026-409295.4 MEDIUMWWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme
CVE-2026-410635.4 MEDIUMWWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)
CVE-2026-410615.4 MEDIUMWWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv
CVE-2026-409085.3 MEDIUMWWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes De
CVE-2026-409355.3 MEDIUMWWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token
CVE-2026-41304WWBN AVideo vulnerable to RCE caused by clonesite plugin

IV. Related Vulnerabilities

Same product: AVideo
Same vendor: WWBN
Same weakness: CWE-918

V. Comments for CVE-2026-41055

No comments yet

Leave a comment