CVE-2026-34740 MEDIUM

CVE-2026-34740: AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

Vendor Wwbn
Product AVideo
Weakness CWE-918 · SSRF
Published March 31, 2026
Last update April 1, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

04Related CVE