CVE-2026-41055
Published: 21 April 2026
Summary
CVE-2026-41055 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-21 (Secure Name/Address Resolution Service (Recursive or Caching Resolver)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces protections against server-side request forgery (SSRF) attacks on public-facing systems like the AVideo LiveLinks proxy.
Ensures validation of URL inputs to the LiveLinks proxy prevents SSRF exploitation via malicious URLs susceptible to DNS rebinding.
Mitigates DNS TOCTOU vulnerabilities in SSRF by authenticating and verifying name/address resolution responses from authoritative sources, blocking rebinding attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing AVideo LiveLinks proxy enables remote unauthenticated exploitation to access internal resources via DNS rebinding, directly mapping to T1190 Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects…
more
traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
Deeper analysisAI
CVE-2026-41055 is a server-side request forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform, in versions 29.0 and below. The issue resides in the LiveLinks proxy, where an incomplete SSRF fix introduced `isSSRFSafeURL()` validation but failed to address DNS time-of-check-to-time-of-use (TOCTOU) vulnerabilities. This allows DNS rebinding attacks, in which the DNS resolution checked during validation differs from the one used in the subsequent HTTP request, enabling redirection to internal endpoints. The vulnerability is classified under CWE-918 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
Remote attackers can exploit this vulnerability without authentication or user interaction due to its network accessibility and low attack complexity. By manipulating DNS rebinding, attackers can bypass the SSRF protections and trick the LiveLinks proxy into making requests to internal network resources, potentially leading to high confidentiality impacts such as unauthorized access to sensitive internal services or data.
GitHub security advisories (GHSA-793q-xgj6-7frp, GHSA-9x67-f2v7-63rw) and related commits detail mitigation. An initial partial fix appears in commit 0e56382921fc71e64829cd1ec35f04e338c70917, but the complete resolution is provided in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8, which addresses the DNS TOCTOU issue. Security practitioners should update to a version incorporating this commit and review configurations of the LiveLinks proxy.
Details
- CWE(s)