8 matches found
CVE-2026-43879
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...
CVE-2026-43879 WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...
CVE-2026-43879 WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...
CVE-2026-43879
CVE-2026-43879 (WWBN/AVideo) describes a blind SSRF in the donation webhook flow. In versions up to 29.0, an authenticated user can configure donation_notification_url to point at internal or RFC1918 hosts (e.g., 127.0.0.1, 169.254.169.254). When another user donates, the server issues a curl POS...
WWBN AVideo 代码问题漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to version 29 contain code vulnerabilities. These vulnerabilities stem from an unvalidated donation notification Webhook URL, which may allow attackers to access internal or cloud...
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Summary An authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. When any other user including a second account owned by the same attacker...
GHSA-WP38-WHX3-XFFH AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Summary An authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. When any other user including a second account owned by the same attacker...
PT-2026-37295
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0 Description An authenticated user can configure a donation-notification webhook URL to point to internal, loopback, or metadata hosts, such as http://127.0.0.1:8080/ or http://169.254.169.254/latest/. When...