CVE-2026-33039
Received Received - Intake
Open Redirect in WWBN AVideo LiveLinks Plugin Enables SSRF

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33039
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33039 is a Server-Side Request Forgery (SSRF) vulnerability in the LiveLinks proxy component of the WWBN AVideo platform versions 25.0 and below. The vulnerability arises because the proxy endpoint validates only the initial user-supplied URL against internal or private network addresses using the isSSRFSafeURL() function. However, if the initial URL responds with an HTTP redirect, the redirected URL is fetched without re-validation, allowing attackers to access internal services.

Specifically, the proxy fetches the redirect target using a function called fakeBrowser() without checking if the redirected URL points to restricted internal networks such as cloud metadata endpoints or RFC1918 private IP ranges. This flaw enables attackers to bypass SSRF protections and reach sensitive internal resources.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves the plugin/LiveLinks/proxy.php endpoint in WWBN AVideo versions 25.0 and below, where SSRF protections are bypassed via HTTP redirects. Detection involves monitoring for requests to this endpoint that include URLs causing redirects to internal or cloud metadata addresses.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can look for unusual HTTP requests to the LiveLinks proxy endpoint that result in internal network or cloud metadata access. Network monitoring tools or web server logs can be used to identify such requests.'}, {'type': 'list_item', 'content': 'Check web server access logs for requests to plugin/LiveLinks/proxy.php with parameters containing URLs that redirect to private IP ranges (e.g., 10.x.x.x, 192.168.x.x, 172.16.x.x) or cloud metadata IPs (e.g., 169.254.169.254).'}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually test the endpoint with URLs that cause redirects to internal addresses to verify if the vulnerability exists.'}, {'type': 'list_item', 'content': "Example command to test the endpoint (replace <target_url> with a URL that redirects internally):\ncurl -v 'http://<avideo-host>/plugin/LiveLinks/proxy.php?livelink=<target_url>'"}, {'type': 'list_item', 'content': 'Monitor for unexpected outbound HTTP requests from the server to internal or cloud metadata IPs, which may indicate exploitation attempts.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following steps can help mitigate the risk:'}, {'type': 'list_item', 'content': "Disable automatic HTTP redirect following in the LiveLinks proxy plugin by setting the HTTP request context options 'follow_location' => 0 and 'max_redirects' => 0."}, {'type': 'list_item', 'content': 'Implement strict validation of redirect URLs before fetching them, including checking that the URL is valid, uses HTTP or HTTPS schemes, and passes SSRF safety checks (e.g., using isSSRFSafeURL()).'}, {'type': 'list_item', 'content': 'Block or restrict access to the plugin/LiveLinks/proxy.php endpoint via web server configuration or firewall rules if it is not needed.'}, {'type': 'list_item', 'content': 'Monitor and log attempts to access internal or cloud metadata IP addresses through the proxy to detect exploitation attempts.'}] [1, 2]


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows unauthenticated attackers to access internal network services and cloud metadata endpoints through the vulnerable proxy. Attackers can exploit HTTP redirects to reach internal resources that are normally protected, such as AWS, GCP, or Azure metadata services.

  • Exfiltration of sensitive data like IAM credentials (AccessKeyId, SecretAccessKey, Token) from cloud metadata services.
  • Scanning and accessing internal RFC1918 network services, including databases, admin panels, and dashboards.
  • The attack requires no privileges or user interaction and has low complexity, making it highly accessible to attackers.

Overall, this can lead to significant confidentiality breaches and unauthorized internal network access.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart