Main Vulnerability Database Vulnerabilities #VU125499

#VU125499 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-34740

Published: April 8, 2026

Vulnerability identifier: #VU125499

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34740

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to perform server-side requests to arbitrary internal and external targets and disclose sensitive information.

The vulnerability exists due to server-side request forgery in the EPG link processing path when handling a stored user-supplied EPG URL. A remote user can store a crafted URL that the server fetches on subsequent EPG page visits to perform server-side requests to arbitrary internal and external targets and disclose sensitive information.

The issue is persistent because the URL is stored and re-fetched on every EPG page visit.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-x5vx-vrpf-r45f

#VU125499 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-34740

Description

Remediation

External links

Please verify you're human