{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41055", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.172Z", "datePublished": "2026-04-21T22:25:45.488Z", "dateUpdated": "2026-04-22T14:00:50.623Z"}, "containers": {"cna": {"title": "AVideo has an incomplete fix for CVE-2026-33039 (SSRF)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}, {"name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"}, {"name": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:35:27.054Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."}], "source": {"advisory": "GHSA-793q-xgj6-7frp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:00:09.342567Z", "id": "CVE-2026-41055", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:00:50.623Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41055", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.172Z", "datePublished": "2026-04-21T22:25:45.488Z", "dateUpdated": "2026-04-22T14:00:50.623Z"}, "containers": {"cna": {"title": "AVideo has an incomplete fix for CVE-2026-33039 (SSRF)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}, {"name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"}, {"name": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:35:27.054Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."}], "source": {"advisory": "GHSA-793q-xgj6-7frp", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41055", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:00:09.342567Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:00:27.871Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."}], "id": "CVE-2026-41055", "lastModified": "2026-04-22T14:17:03.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:20.707", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T07:07:33.462574+00:00", "value": {"mitigation_remediation": ["Update AVideo to a release that includes commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 or later, which corrects the DNS TOCTOU flaw.", "Disable or remove the LiveLinks proxy feature if it is not required for the deployment.", "Restrict the proxy to a whitelist of trusted external hosts and enforce strict DNS validation to mitigate SSRF attempts."], "summary": {"action": "Apply Patch", "impact": "Remote Server Access via Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source video platform WWBN AVideo, specifically all releases 29.0 and earlier. Versions updated with commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contain the corrected protection.", "description_and_impact": "AVideo versions up to 29.0 contain an incomplete protection for Server\u2011Side Request Forgery (CWE\u2011918) in its LiveLinks proxy. The mitigation added an isSSRFSafeURL() filter but did not address the DNS Time\u2011of\u2011Check to Time\u2011of\u2011Use flaw, allowing an attacker to perform DNS rebinding between the safe\u2011URL check and the actual request. This enables the attacker to cause the proxy to resolve a name that initially appears safe but later resolves to an internal IP or hostname, thereby giving the attacker access to internal resources or services exposed only within the infrastructure.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity for this SSRF flaw. No EPSS score is published, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the LiveLinks proxy endpoint; an attacker can trigger internal requests if the proxy is reachable from the Internet or from compromised internal hosts."}}}}, "created": "2026-04-22T03:45:06.828114+00:00", "updated": "2026-04-22T07:15:11.668162+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}