CVE-2026-41060
Published: 21 April 2026
Summary
CVE-2026-41060 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of URL inputs including hostname and port matching to block SSRF bypasses in the isSSRFSafeURL function.
Mandates timely remediation of the specific SSRF flaw via patching the port omission in the hostname check as per the provided commit.
Enforces boundary protections at internal interfaces to limit reachability of arbitrary ports on the server even if application SSRF succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing AVideo app allows low-priv attacker to fetch data from internal server services/ports and save responses to web-accessible paths for exfiltration, directly enabling collection of data from the local system.
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check…
more
compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.
Deeper analysisAI
CVE-2026-41060 is a server-side request forgery (SSRF) vulnerability in WWBN AVideo, an open-source video platform, affecting versions 29.0 and below. The flaw exists in the `isSSRFSafeURL()` function in `objects/functions.php` at lines 4290-4296, where a same-domain shortcut compares only the hostname against `webSiteRootURL`, ignoring the port number. This bypasses all SSRF protections for URLs sharing the site's hostname but targeting arbitrary ports on the server.
The vulnerability requires low privileges (PR:L) and network access (AV:N) for exploitation, with no user interaction needed (UI:N). An attacker can craft a URL using the site's public hostname with a non-standard port to access internal services on the AVideo server. The response body is then saved to a web-accessible path, allowing complete exfiltration of sensitive data. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918 (Server-Side Request Forgery).
The official patch is provided in commit a0156a6398362086390d949190f9d52a823000ba on the AVideo GitHub repository, which fixes the port omission in the safety check. The GitHub security advisory GHSA-j432-4w3j-3w8j recommends applying this commit to mitigate the issue.
Details
- CWE(s)