CVE-2026-41055: WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
(updated )
The incomplete SSRF fix in AVideo’s LiveLinks proxy adds isSSRFSafeURL() validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.
References
- github.com/WWBN/AVideo
- github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917
- github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8
- github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp
- github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw
- github.com/advisories/GHSA-793q-xgj6-7frp
- nvd.nist.gov/vuln/detail/CVE-2026-33039
- nvd.nist.gov/vuln/detail/CVE-2026-41055
Code Behaviors & Features
Detect and mitigate CVE-2026-41055 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →