CVE-2026-34740 - Vulnerability Details

- AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

AVideo includes a stored SSRF flaw in its EPG link feature. Authenticated users with upload rights can persist any URL. The server fetches the URL each time an EPG page is viewed, but the code only applies basic URL validation and does not run the dedicated isSSRFSafeURL() check. As a result the system can be made to request arbitrary internal or cloud‑metadata addresses, allowing an attacker to scan the private network, pull metadata, or communicate with internal services. The weakness is classified as CWE‑918.

Affected Systems

The product affected is WWBN AVideo, versions 26.0 and earlier. Users who have upload permission in these releases are able to exploit the flaw.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score is below 1 %, so widespread exploitation is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploit. Completion of the attack path requires legitimate authentication with upload rights, after which the attacker can cause the server to visit attacker‑controlled URLs. If the target network hosts services that respond to these requests, sensitive internal information can be exposed or services can be abused.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor's patch when it becomes available
Limit upload rights to users who truly need them
Disable or tightly restrict the EPG link feature if possible
Employ network segmentation or firewall rules to isolate the server from sensitive internal resources
Monitor outbound HTTP requests for anomalous activity

Generated by OpenCVE AI on April 2, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-x5vx-vrpf-r45f	AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-x5vx-vrpf-r45f

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
CPEs		cpe:2.3:a:wwbn:avideo::::::::
Vendors & Products		Wwbn Wwbn avideo
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.
Title		AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
Weaknesses		CWE-918
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-x5vx-vrpf-r45f
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:57:14.193Z

Updated: 2026-04-01T18:45:58.524Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34740

Vulnrichment

Updated: 2026-04-01T18:45:54.699Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:32.713

Modified: 2026-04-01T18:43:31.743

Link: CVE-2026-34740

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:34Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object