logo

Database

Server-side request forgery (SSRF) In wwbn/avideo

Description

AVideo CVE-2026-43884 incomplete fix - six (or more) isSSRFSafeURL() call sites still discard the $resolvedIP out-param at master HEAD post-603e7bf CVE-2026-43884 fix 603e7bf patched EpgParser.php and plugin/AI/receiveAsync.json.php to use url_get_contents (redirect-safe). Neither uses the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE. Six+ other call sites still discard $resolvedIP, opening DNS-rebinding TOCTOU.

Reference correct pattern at plugin/YPTWallet/YPTWallet.php:1071-1098:

$resolvedIP = null;
if (isSSRFSafeURL($url, $resolvedIP)) {
    curl_setopt($ch, CURLOPT_RESOLVE, ["$h

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-456192. NVD-2026-456193. OSV-2026-456194. GHSA-c3ch-22rq-xfwr5. GHSA-2hch-c97c-g99x6. GCVE-2026-45619

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-9U919 – Vulnerability | Fluid Attacks Database