CVE-2026-34740Server-Side Request Forgery in Avideo

CWE-918Server-Side Request Forgery4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 92.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 31
Latest updateApr 1

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored serve

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

🔴Vulnerability Details

2
OSV
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation2026-04-01
GHSA
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation2026-04-01

🕵️Threat Intelligence

1
Wiz
CVE-2026-34740 Impact, Exploitability, and Mitigation Steps | Wiz