GHSA-793q-xgj6-7frp: WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF

April 14, 2026

The incomplete SSRF fix in AVideo’s LiveLinks proxy adds isSSRFSafeURL() validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917
github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp
github.com/advisories/GHSA-793q-xgj6-7frp
nvd.nist.gov/vuln/detail/CVE-2026-33039

Code Behaviors & Features

Detect and mitigate GHSA-793q-xgj6-7frp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →