CVE-2026-39368 MEDIUM

CVE-2026-39368: WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

Vendor Wwbn

Product AVideo

Weakness CWE-918 · SSRF

Published April 7, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39368

Related vulnerabilities

CVE-2026-39368: WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

01Description

02Disclosure timeline

03References

04Related CVE