Skip to main content

Avideo CVE-2026-39368

| EUVDEUVD-2026-19881 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-07 GitHub_M GHSA-q4x6-6mm2-crg9
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19881
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:23 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

AnalysisAI

Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.

Technical ContextAI

The vulnerability resides in the live restream log callback mechanism, which implements server-side URL fetching without proper validation of the restreamerURL parameter. When a low-privilege streamer stores a malicious callback URL, the application later fetches that stored URL server-side, resulting in a stored SSRF condition (CWE-918). Unlike transient SSRF attacks, this stored variant persists in application state, allowing the attacker to trigger requests to internal services (e.g., loopback metadata services, internal APIs) without immediate interaction. The affected product is WWBN AVideo running on any platform, identified by CPE cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* through version 26.0.

RemediationAI

Upgrade WWBN AVideo to a version later than 26.0 as soon as possible; vendor advisories at https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9 provide the fixed release. Prior to patching, restrict streaming permissions to trusted users only and audit restream log configurations for any suspicious callback URLs. If immediate upgrade is not feasible, implement network-level restrictions to prevent the application server from initiating HTTP requests to loopback addresses (127.0.0.1, ::1) and internal IP ranges, though this does not fully eliminate the risk of exfiltration to external attacker-controlled endpoints.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-39368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy