Security Advisory

CVE-2026-33039

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-20 05:38:50
Last updated 2026-03-20 13:52:22
Assigner GitHub_M
State PUBLISHED

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.