Plattform
php
Komponente
avideo
Behoben in
29.0.1
CVE-2026-41060 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo. This flaw allows attackers to bypass SSRF protections by exploiting a same-domain shortcircuit within the isSSRFSafeURL() function, potentially leading to data exfiltration. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, but is resolved in version 29.1.
The SSRF vulnerability in AVideo allows an attacker to craft requests to arbitrary ports on the AVideo server. This bypass circumvents intended security measures designed to restrict outbound connections. The response body from these crafted requests is then saved to a publicly accessible path, enabling an attacker to exfiltrate sensitive data. This could include configuration files, internal API responses, or any other data accessible to the AVideo server. Successful exploitation could lead to unauthorized access to internal resources and compromise the confidentiality of the system.
CVE-2026-41060 was publicly disclosed on 2026-04-21. The vulnerability's simplicity and the potential for data exfiltration suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been identified as of this writing, but the vulnerability's nature makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations using AVideo in production environments, particularly those with sensitive data or internal services accessible via the web server, are at risk. Shared hosting environments where multiple users share the same AVideo instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability to access data belonging to other users.
• php: Examine the objects/functions.php file for the isSSRFSafeURL() function and its shortcircuit logic. Look for modifications or unexpected behavior related to hostname comparisons.
// Example: Check for the vulnerable logic in isSSRFSafeURL()
if (strpos($_SERVER['HTTP_HOST'], $webSiteRootURL) !== false) {
// Vulnerable shortcircuit
}• generic web: Monitor access logs for requests to the AVideo server using non-standard ports (e.g., 8080, 8443) or unusual hostnames.
• generic web: Check response headers for unexpected content or indicators of data exfiltration.
• generic web: Use curl to test SSRF bypass by attempting to access internal resources using the site's hostname and a non-standard port.
curl -v --connect-timeout 5 http://your-avideo-site.com:8080/internal/resourcedisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-41060 is to upgrade AVideo to version 29.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with non-standard ports on the webSiteRootURL hostname. Additionally, review and restrict access to the web-accessible path where the response body is saved to minimize potential data exposure. Monitor AVideo logs for unusual outbound requests originating from the server.
Aktualisieren Sie AVideo auf Version 29.1 oder höher, um die SSRF-Schwachstelle zu beheben. Dieses Update behebt den Fehler in der Funktion `isSSRFSafeURL()`, der es ermöglichte, SSRF-Schutzmaßnahmen zu umgehen, indem der gleiche Domain-Hostname mit einem anderen Port verwendet wurde.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-41060 is a Server-Side Request Forgery (SSRF) vulnerability in AVideo versions 1.0.0 through 29.0, allowing attackers to bypass SSRF protections and potentially exfiltrate data.
You are affected if you are running AVideo versions 1.0.0 through 29.0. Upgrade to version 29.1 or later to mitigate the vulnerability.
Upgrade AVideo to version 29.1 or later. As a temporary workaround, implement a WAF rule to block requests with non-standard ports or suspicious hostnames.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation once a public proof-of-concept is available.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-41060.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.