CVE-2026-34740
Received Received - Intake
Stored SSRF Vulnerability in WWBN AVideo EPG Link Feature

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34740
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in WWBN AVideo, an open source video platform, specifically in versions 26.0 and prior. It involves the EPG (Electronic Program Guide) link feature, which allows authenticated users with upload permissions to store arbitrary URLs. These URLs are fetched by the server every time the EPG page is visited.

The URL validation uses PHP's FILTER_VALIDATE_URL, which does not prevent internal network addresses from being used. Although there is a function designed to prevent server-side request forgery (SSRF) called isSSRFSafeURL(), it is not applied in this part of the code.

As a result, this leads to a stored SSRF vulnerability, allowing attackers to make the server send requests to internal networks, access cloud metadata services, or interact with internal services.

Impact Analysis

This vulnerability can be exploited to scan internal networks, potentially revealing sensitive internal infrastructure details.

Attackers can access cloud metadata services, which may expose sensitive information such as credentials or configuration data.

It also allows interaction with internal services that are normally not accessible from outside, increasing the risk of further compromise.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting upload permissions to trusted users only and monitoring or disabling the EPG link feature to prevent storage of arbitrary URLs.

Additionally, reviewing and modifying the code to ensure the isSSRFSafeURL() function is called before fetching URLs can help prevent server-side request forgery.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart