Main Vulnerability Database Vulnerabilities #VU125509

#VU125509 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-39370

Published: April 8, 2026

Vulnerability identifier: #VU125509

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39370

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to disclose sensitive information from internal services.

The vulnerability exists due to server-side request forgery in objects/aVideoEncoder.json.php when processing attacker-controlled downloadURL values with allowlisted media or archive extensions. A remote user can submit a crafted downloadURL to disclose sensitive information from internal services.

The fetched response is stored as media content and later retrievable through the generated media URL.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9

#VU125509 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-39370

Description

Remediation

External links

Please verify you're human