Server-Side Request Forgery (SSRF) in AVideo - #VU129517
Published: May 4, 2026
Vulnerability identifier: #VU129517
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from internal, localhost, or cloud metadata services.
The vulnerability exists due to server-side request forgery in plugin/Live/test.php when processing the statsURL parameter without isSSRFSafeURL() validation. A remote privileged user can send a specially crafted request to disclose sensitive information from internal, localhost, or cloud metadata services.
The endpoint returns the full fetched response content in the HTML output, and the issue affects authenticated admin access.
Remediation
Install security update from vendor's website.