CVE-2026-41060: WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL

April 14, 2026 (updated April 24, 2026)

The isSSRFSafeURL() function in objects/functions.php contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site’s public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/a0156a6398362086390d949190f9d52a823000ba
github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j
github.com/advisories/GHSA-j432-4w3j-3w8j
nvd.nist.gov/vuln/detail/CVE-2026-41060

Code Behaviors & Features

Detect and mitigate CVE-2026-41060 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →