CVE-2026-45619

Summary

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.

Affected Software

VendorProductVersion RangeStatus
WWBNAVideo<= 29.0affected

Weaknesses

  • CWE-367: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References