Main Vulnerability Database Vulnerabilities #VU125470

Server-Side Request Forgery (SSRF) in AVideo - #VU125470

Published: April 8, 2026

Vulnerability identifier: #VU125470

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information from internal and cloud-hosted services.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when processing the statsURL parameter without isSSRFSafeURL() validation. A remote privileged user can send a specially crafted request to disclose sensitive information from internal and cloud-hosted services.

The endpoint returns the full fetched response in the HTML output, and the issue affects requests to localhost, private network ranges, and cloud metadata endpoints.

Remediation

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjx-r2j2-96fx

Server-Side Request Forgery (SSRF) in AVideo - #VU125470

Detailed vulnerability description

Remediation

Sources

Please verify you're human