WWBN AVideo DNS-Rebinding Vulnerability in EpgParser.php and Async Receive Endpoint

Vulnerability

A vulnerability allowing DNS-rebinding attacks has been identified in WWBN AVideo versions through 29.0. The issue arises in EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations, where the $resolvedIP output parameter of the isSSRFSafeURL() function is not utilized for DNS pinning via CURLOPT_RESOLVE. This oversight creates a time-of-check-to-time-of-use (TOCTOU) vulnerability, enabling potential exploitation through DNS rebinding attacks.

Impact

Exploitation of this vulnerability could lead to DNS-rebinding attacks, allowing an attacker to manipulate DNS resolutions and potentially intercept or modify traffic.

Added: May 29, 2026, 2:25 PM

Updated: May 29, 2026, 2:25 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

5.8

remediation

0.0

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

5.8

remediation

0.0

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WWBN AVideo DNS-Rebinding Vulnerability in EpgParser.php and Async Receive Endpoint

Vulnerability

Impact

Affected Products

WWBN AVideo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating