Skip to main content

Avideo CVE-2026-34740

| EUVDEUVD-2026-17660 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-31 GitHub_M GHSA-x5vx-vrpf-r45f
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 21:14 euvd
EUVD-2026-17660
Analysis Generated
Mar 31, 2026 - 21:14 vuln.today
CVE Published
Mar 31, 2026 - 20:57 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.

AnalysisAI

Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability exists in AVideo's EPG link feature, which stores user-supplied URLs in a persistent manner. The root cause (CWE-918: Server-Side Request Forgery) stems from insufficient URL validation: the application uses only PHP's FILTER_VALIDATE_URL function, which has permissive validation logic and accepts internal network addresses (RFC 1918 ranges, localhost, etc.) as syntactically valid. AVideo maintains a dedicated isSSRFSafeURL() function designed to enforce stricter network access controls, but this function is not invoked in the EPG code path. As a result, when the EPG page is visited, the server automatically fetches the attacker-controlled URL without additional security checks, creating a persistent SSRF condition triggered on every page load. The attack surface spans any user account with upload permissions, reducing the barrier to exploitation within multi-user deployments.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate mitigation measures are required: (1) restrict upload permissions to trusted users only and audit existing user accounts; (2) implement network segmentation to limit the server's ability to reach internal services, cloud metadata endpoints (such as 169.254.169.254), and sensitive internal hosts; (3) monitor HTTP/HTTPS requests originating from the AVideo server process for suspicious outbound connections to internal IP ranges or metadata services; (4) review EPG link entries in the AVideo database for suspicious URLs and remove them. Monitor the GitHub Security Advisory (GHSA-x5vx-vrpf-r45f) and WWBN AVideo release notes for patch availability. Alternatively, disable the EPG link feature if not operationally critical until a patch is released.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-34740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy