CVE-2026-56342
AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details.
| CWE | CWE-918 |
| Vendor | avideo |
| Product | avideo |
| Published | Jun 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for avideo avideo
Be the first to know when new medium vulnerabilities affecting avideo avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
AVideo / AVideo
0 โค 27.0
References
Credits
๐ offset