Plataforma
php
Componente
avideo
Corregido en
29.0.1
CVE-2026-41060 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo. This flaw allows attackers to bypass SSRF protections by exploiting a same-domain shortcircuit within the isSSRFSafeURL() function, potentially leading to data exfiltration. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, but is resolved in version 29.1.
The SSRF vulnerability in AVideo allows an attacker to craft requests to arbitrary ports on the AVideo server, effectively bypassing intended security controls. This can be exploited to access internal services and resources that are not publicly exposed. The response body is saved to a web-accessible path, enabling full exfiltration of sensitive data. An attacker could potentially read configuration files, access internal APIs, or even interact with other services running on the same server, leading to a significant compromise of the system and its data.
CVE-2026-41060 was published on 2026-04-21. Public proof-of-concept code is currently unavailable, but the vulnerability's nature makes it likely to be exploited once a PoC is developed. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a medium to high probability of exploitation. This vulnerability shares similarities with other SSRF exploits where bypassing hostname checks allows access to internal resources.
Organizations using AVideo in production environments, particularly those with sensitive data or internal services accessible via the web server, are at risk. Shared hosting environments where multiple users share the same AVideo instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability to access data belonging to other users.
• php: Examine the objects/functions.php file for the isSSRFSafeURL() function and its shortcircuit logic. Look for modifications or unexpected behavior related to hostname comparisons.
// Example: Check for the vulnerable logic in isSSRFSafeURL()
if (strpos($_SERVER['HTTP_HOST'], $webSiteRootURL) !== false) {
// Vulnerable shortcircuit
}• generic web: Monitor access logs for requests to the AVideo server using non-standard ports (e.g., 8080, 8443) or unusual hostnames.
• generic web: Check response headers for unexpected content or indicators of data exfiltration.
• generic web: Use curl to test SSRF bypass by attempting to access internal resources using the site's hostname and a non-standard port.
curl -v --connect-timeout 5 http://your-avideo-site.com:8080/internal/resourcedisclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-41060 is to upgrade AVideo to version 29.1 or later, which includes the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with non-standard ports or suspicious hostnames. Additionally, review and restrict the webSiteRootURL configuration to only include trusted domains. After upgrading, confirm the fix by attempting to access a non-standard port on the AVideo server and verifying that the request is blocked.
Actualice AVideo a la versión 29.1 o superior para mitigar la vulnerabilidad SSRF. Esta actualización corrige la falla en la función `isSSRFSafeURL()` que permitía eludir las protecciones SSRF al usar el mismo hostname del sitio web con un puerto diferente.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-41060 is a Server-Side Request Forgery (SSRF) vulnerability in AVideo versions 1.0.0 through 29.0, allowing attackers to bypass SSRF protections and potentially exfiltrate data.
You are affected if you are running AVideo versions 1.0.0 through 29.0. Upgrade to version 29.1 or later to mitigate the vulnerability.
Upgrade AVideo to version 29.1 or later. As a temporary workaround, implement a WAF rule to block requests with non-standard ports or suspicious hostnames.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation once a public proof-of-concept is available.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-41060.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.