{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33039", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:38:50.912Z", "dateUpdated": "2026-03-20T13:52:22.947Z"}, "containers": {"cna": {"title": "AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}, {"name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:38:50.912Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0."}], "source": {"advisory": "GHSA-9x67-f2v7-63rw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:52:19.236660Z", "id": "CVE-2026-33039", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:52:22.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33039", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T13:52:19.236660Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:52:11.945Z"}}], "cna": {"title": "AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy", "source": {"advisory": "GHSA-9x67-f2v7-63rw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917", "name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:38:50.912Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33039", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:52:22.947Z", "dateReserved": "2026-03-17T18:10:50.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:38:50.912Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En las versiones 25.0 e inferiores, el endpoint plugin/LiveLinks/proxy.php valida las URL proporcionadas por el usuario contra redes internas/privadas utilizando isSSRFSafeURL(), pero solo verifica la URL inicial. Cuando la URL inicial responde con una redirecci\u00f3n HTTP (encabezado Location), el objetivo de la redirecci\u00f3n se obtiene a trav\u00e9s de fakeBrowser() sin revalidaci\u00f3n, permitiendo a un atacante alcanzar servicios internos (metadatos de la nube, direcciones RFC1918) a trav\u00e9s de una redirecci\u00f3n controlada por el atacante. Este problema se corrige en la versi\u00f3n 26.0."}], "id": "CVE-2026-33039", "lastModified": "2026-03-23T16:22:49.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.150", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T17:53:42.284705+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version\u202f26.0 or later, where the redirect check is applied", "Confirm that the proxy endpoint no longer follows redirects to private IP ranges or cloud metadata URLs", "Review logs and monitor traffic for abnormal proxy usage that may indicate SSRF attempts"], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw exists in the WWBN AVideo platform, specifically in versions 25.0 and older within the LiveLinks/proxy.php endpoint. The vulnerability was addressed in version 26.0, where each redirection is validated against internal addresses.", "description_and_impact": "A video hosting platform contains a proxy endpoint that accepts a user\u2011supplied URL and forwards the request to that URL. The code validates the initial URL for internal network addresses but does not re\u2011validate the URL after following an HTTP redirection. This allows an attacker to supply a URL that first redirects to an internal or cloud metadata endpoint, which is then fetched by the proxy unfiltered, giving the attacker access to internal resources without authentication. The primary impact is the ability to exfiltrate internal data or craft requests to internal services, compromising confidentiality and potentially enabling further attacks.", "risk_and_exploitability": "The vulnerability is scored 8.6 on the CVSS metric and has an EPSS likelihood of less than 1\u202f%. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must send a request to the proxy endpoint, which is typically reachable from any network that can reach the web application. An unauthenticated attacker can thus exploit this flaw to reach internal services and potentially compromise infrastructure. The risk is significant due to the high CVSS score, but the low EPSS suggests that widespread exploitation is currently unlikely."}}}}, "created": "2026-03-20T08:52:25.168332+00:00", "updated": "2026-03-25T14:30:21.193125+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}