WWBN AVideo, an open source video platform, contains an SSRF vulnerability identified as CVE-2026-41055 affecting versions 26.0 and below. The issue stems from an incomplete SSRF mitigation in the LiveLinks proxy component, where the isSSRFSafeURL() function performs URL validation but is vulnerable to DNS TOCTOU attacks. This allows an attacker to perform DNS rebinding between the validation and the actual HTTP request, redirecting traffic to internal network endpoints. The vulnerability is addressed in a later commit (8d8fc0cadb425835b4861036d589abcea4d78ee8), but no official patch or remediation level is provided in the advisory data. The CVSS 3.1 score is 8.6, indicating high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact.

Successful exploitation of this SSRF vulnerability can lead to unauthorized access to internal network resources by redirecting server-side requests to internal endpoints. The confidentiality of internal services may be compromised. There is no indication of integrity or availability impact. No known exploits in the wild have been reported at this time.

An updated fix addressing this vulnerability is referenced in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8. However, no official patch or remediation level is confirmed in the provided data. Users should review the referenced commit and apply the updated fix from the WWBN AVideo source repository. Patch status is not yet confirmed — check the vendor advisory or official WWBN AVideo repository for current remediation guidance.