CVE-2026-41060 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo. This flaw allows attackers to bypass SSRF protections by exploiting a same-domain shortcircuit within the isSSRFSafeURL() function, potentially leading to data exfiltration. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, but is resolved in version 29.1.
The SSRF vulnerability in AVideo allows an attacker to craft requests to arbitrary ports on the AVideo server, effectively bypassing intended security controls. This can be exploited to access internal services and resources that are not publicly exposed. The response body is saved to a web-accessible path, enabling full exfiltration of sensitive data. An attacker could potentially read configuration files, access internal APIs, or even interact with other services running on the same server, leading to a significant compromise of the system and its data.
CVE-2026-41060 was published on 2026-04-21. Public proof-of-concept code is currently unavailable, but the vulnerability's nature makes it likely to be exploited once a PoC is developed. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a medium to high probability of exploitation. This vulnerability shares similarities with other SSRF exploits where bypassing hostname checks allows access to internal resources.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-41060 is to upgrade AVideo to version 29.1 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with non-standard ports or suspicious hostnames. Additionally, review and restrict the webSiteRootURL configuration to only include trusted domains. After upgrading, confirm the fix by attempting to access a non-standard port on the AVideo server and verifying that the request is blocked.
Update AVideo to version 29.1 or higher to mitigate the SSRF vulnerability. This update fixes the flaw in the `isSSRFSafeURL()` function that allowed SSRF protections to be bypassed by using the same website hostname with a different port.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41060 is a Server-Side Request Forgery (SSRF) vulnerability in AVideo versions 1.0.0 through 29.0, allowing attackers to bypass SSRF protections and potentially exfiltrate data.
You are affected if you are running AVideo versions 1.0.0 through 29.0. Upgrade to version 29.1 or later to mitigate the vulnerability.
Upgrade AVideo to version 29.1 or later. As a temporary workaround, implement a WAF rule to block requests with non-standard ports or suspicious hostnames.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation once a public proof-of-concept is available.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-41060.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.