Server-Side Request Forgery Vulnerability in AVideo by WWBN
CVE-2026-56342

6.1MEDIUM

Key Information:

Vendor: Avideo
Status: Avideo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56342?

AVideo, a video streaming solution, contains a server-side request forgery vulnerability in its Live/test.php file. This issue allows authenticated administrators to exploit the statsURL parameter, which fails to implement adequate validation checks, specifically isSSRFSafeURL(). Consequently, this vulnerability permits crafted requests to be sent to internal services, private IP ranges, and cloud metadata endpoints like 169.254.169.254. Successful exploitation could lead to the disclosure of sensitive information, including IAM credentials, responses from internal services, and network configurations.

Affected Version(s)

AVideo 0 <= 27.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-w...

vendor-advisory

https://www.vulncheck.com/advisories/avideo-server-side-r...

third-party-advisory

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

offset

CVE-2026-56342 Data

JSON

Avideo

What is CVE-2026-56342?

Affected Version(s)

References

CVSS V4

Timeline

Credit