CVE-2026-39368 - Vulnerability Details

- WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Published: 2026-04-07

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

WWBN AVideo allows an attacker-controlled restreamer URL to be stored and later fetched server‑side by the restream log feature. The stored URL is requested internally, giving the attacker the ability to reach loopback or other internal HTTP services. This stored Server Side Request Forgery can expose sensitive internal interfaces, leak data, or enable further lateral movement, depending on the internal services reachable by the application.

Affected Systems

The vulnerability exists in WWBN AVideo versions 26.0 and earlier. Users running these versions should verify the version and apply the latest release that excludes the vulnerable restream log callback flow.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Exploitation requires the attacker to be an authenticated user with streaming permission, a relatively low privilege level. No publicly known exploits are documented, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is server‑side request from the application, making it accessible to any authenticated streamer but not to unauthenticated users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update WWBN AVideo to the latest release that removes the vulnerable restream log callback flow (any version newer than 26.0).
If an update is not immediately possible, isolate the AVideo server from internal network resources that may be accessed by the restreamer URL to prevent SSRF against sensitive services.
Review and restrict user permissions so that only trusted streamers can set or store restreamer URLs.

Generated by OpenCVE AI on April 7, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q4x6-6mm2-crg9	WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9

History

Wed, 22 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
Title		WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
Weaknesses		CWE-918
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T19:23:29.790Z

Updated: 2026-04-07T20:02:21.185Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39368

Vulnrichment

Updated: 2026-04-07T20:02:17.750Z

NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.877

Modified: 2026-04-22T18:50:53.963

Link: CVE-2026-39368

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:46:19Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object