SSRF Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-43884

7.7HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43884?

WWBN AVideo, an open-source video platform, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability due to improper validation of user-input URLs in versions up to and including 29.0. This flaw arises from using the isSSRFSafeURL() function to check the initial input, while subsequent redirects—such as those returning a 302 status code to an internal address—bypass all existing SSRF safeguards. As a result, an attacker could exploit this vulnerability to redirect requests and gain unauthorized access to sensitive internal data, including cloud metadata services. A patch has been released to address this issue, improving overall security for users of the platform. For details on the fix, refer to the commit linked in the advisories.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-2...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/603e7bf77a835584387...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43884 Data

JSON

Wwbn

What is CVE-2026-43884?

Affected Version(s)

References

CVSS V3.1

Timeline