WWBN AVideo SSRF Bypass via Redirects (CVE-2026-43884)

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
WWBN AVideo SSRF Bypass via Redirects (CVE-2026-43884)

The National Vulnerability Database has detailed CVE-2026-43884, a high-severity Server-Side Request Forgery (SSRF) bypass impacting WWBN AVideo, an open-source video platform. Versions up to and including 29.0 are vulnerable. The flaw lies in two endpoints, plugin/AI/receiveAsync.json.php and objects/EpgParser.php, which utilize file_get_contents() to fetch user-supplied URLs after a isSSRFSafeURL() validation.

The critical error, as outlined by the National Vulnerability Database, is the failure to disable PHP’s automatic redirect following. An attacker can supply a URL pointing to a controlled server, which then issues a 302 redirect to an internal or cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Because isSSRFSafeURL() only validates the initial URL, the redirect target completely bypasses the intended SSRF protections, granting access to sensitive internal resources. The National Vulnerability Database notes that commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.

What This Means For You

  • If your organization uses WWBN AVideo, you need to patch immediately. This isn't theoretical; an attacker can weaponize this to access your cloud metadata, internal services, or sensitive configuration data. This is a direct path to deeper compromise, lateral movement, and data exfiltration. Don't wait for an active exploit to surface; the attack vector is clear.

Related ATT&CK Techniques

T1552.004 SSH Authorized Keys Privilege Escalation T1071.001 Web Protocol Command and Control T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

SSRF Bypass via Redirect to Cloud Metadata - CVE-2026-43884

Sigma YAML — free preview 
title: SSRF Bypass via Redirect to Cloud Metadata - CVE-2026-43884
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-43884 by sending a URL to the vulnerable AVideo endpoints that redirects to the cloud metadata service (169.254.169.254). This bypasses SSRF protections by exploiting the automatic redirect following in file_get_contents().
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43884/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/plugin/AI/receiveAsync.json.php'
          - '/objects/EpgParser.php'
      cs-uri-query|contains:
          - 'http://169.254.169.254'
          - 'http://169.254.169.254/latest/meta-data/'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43884 SSRF WWBN AVideo versions up to and including 29.0
CVE-2026-43884 SSRF Vulnerable endpoint: plugin/AI/receiveAsync.json.php
CVE-2026-43884 SSRF Vulnerable endpoint: objects/EpgParser.php
CVE-2026-43884 SSRF Vulnerable function: file_get_contents() with automatic redirect following
CVE-2026-43884 SSRF Bypass of isSSRFSafeURL() via 302 redirect to internal/cloud-metadata addresses (e.g., http://169.254.169.254/latest/meta-data/)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 01:22 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma

Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email

CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...

vulnerabilityCVEhigh-severitycwe-307
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults

CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma