Main Vulnerability Database Vulnerabilities #VU125470

#VU125470 Server-Side Request Forgery (SSRF) in AVideo

Published: April 8, 2026

Vulnerability identifier: #VU125470

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to disclose sensitive information from internal and cloud-hosted services.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when processing the statsURL parameter without isSSRFSafeURL() validation. A remote privileged user can send a specially crafted request to disclose sensitive information from internal and cloud-hosted services.

The endpoint returns the full fetched response in the HTML output, and the issue affects requests to localhost, private network ranges, and cloud metadata endpoints.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjx-r2j2-96fx

#VU125470 Server-Side Request Forgery (SSRF) in AVideo

Description

Remediation

External links

Please verify you're human