CVE-2026-43879
Received Received - Intake
Authenticated Blind SSRF in WWBN AVideo via Donation Webhook

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned by the same attacker) donates even a trivial amount via plugin/CustomizeUser/donate.json.php, the AVideo server issues a curl POST to the attacker-supplied URL, resulting in a blind SSRF. The handler uses only isValidURL() (which is a format check) and does not call the codebase's own isSSRFSafeURL() helper. Additionally, CURLOPT_FOLLOWLOCATION is enabled with no per-hop revalidation, so even if the stored URL were validated, an HTTP 307 from an attacker-controlled host could redirect the POST to internal targets. Commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. An authenticated user can set their own donation-notification webhook URL to point to internal, loopback, or metadata hosts such as 127.0.0.1 or 169.254.169.254. When another user makes a donation, the server sends a POST request to the attacker-supplied URL, resulting in a blind Server-Side Request Forgery (SSRF). The URL validation only checks the format and does not properly restrict unsafe URLs. Additionally, the server follows HTTP redirects without revalidation, which can be exploited to redirect requests to internal targets.

Impact Analysis

This vulnerability can allow an attacker to make the AVideo server send unauthorized requests to internal or protected network resources. This could lead to information disclosure from internal services, unauthorized access to metadata endpoints, or other internal systems that are normally inaccessible from outside. The attacker can exploit this SSRF to gather sensitive information or potentially escalate attacks within the internal network.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade WWBN AVideo to a version later than 29.0 where the issue is fixed (commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9).

Additionally, restrict or validate user-configured webhook URLs more strictly to prevent pointing to internal or loopback addresses.

Disable or carefully control CURLOPT_FOLLOWLOCATION to prevent HTTP redirects from bypassing URL validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart