Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.
AnalysisAI
Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.
Technical ContextAI
The vulnerability exists in AVideo's EPG link feature, which stores user-supplied URLs in a persistent manner. The root cause (CWE-918: Server-Side Request Forgery) stems from insufficient URL validation: the application uses only PHP's FILTER_VALIDATE_URL function, which has permissive validation logic and accepts internal network addresses (RFC 1918 ranges, localhost, etc.) as syntactically valid. AVideo maintains a dedicated isSSRFSafeURL() function designed to enforce stricter network access controls, but this function is not invoked in the EPG code path. As a result, when the EPG page is visited, the server automatically fetches the attacker-controlled URL without additional security checks, creating a persistent SSRF condition triggered on every page load. The attack surface spans any user account with upload permissions, reducing the barrier to exploitation within multi-user deployments.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation measures are required: (1) restrict upload permissions to trusted users only and audit existing user accounts; (2) implement network segmentation to limit the server's ability to reach internal services, cloud metadata endpoints (such as 169.254.169.254), and sensitive internal hosts; (3) monitor HTTP/HTTPS requests originating from the AVideo server process for suspicious outbound connections to internal IP ranges or metadata services; (4) review EPG link entries in the AVideo database for suspicious URLs and remove them. Monitor the GitHub Security Advisory (GHSA-x5vx-vrpf-r45f) and WWBN AVideo release notes for patch availability. Alternatively, disable the EPG link feature if not operationally critical until a patch is released.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17660
GHSA-x5vx-vrpf-r45f