Plateforme
php
Composant
avideo
Corrigé dans
26.0.1
CVE-2026-39370 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo, an open-source video platform. This flaw allows authenticated uploaders to bypass SSRF validation and potentially exfiltrate sensitive data. The vulnerability impacts versions 0.0.0 up to and including 26.0, but is resolved in version 26.1.
An attacker exploiting this SSRF vulnerability can leverage the upload-by-URL feature to exfiltrate data from internal services or external resources that AVideo has access to. By crafting malicious downloadURL values with common media extensions (e.g., .mp4, .zip), the attacker can trick the server into fetching and storing responses as media content. This effectively turns the upload process into a covert channel for data exfiltration. The potential impact includes exposure of internal network configurations, sensitive data stored in internal databases, or even unauthorized access to external resources.
This vulnerability was publicly disclosed on 2026-04-07. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. The vulnerability builds upon an incomplete fix for CVE-2026-27732, highlighting the importance of thorough testing after security patches.
Organizations using AVideo for video hosting and content management are at risk, particularly those with internal services or sensitive data accessible from the AVideo server. Shared hosting environments where multiple users share the same AVideo instance are also at increased risk, as a compromised user account could be used to exploit the vulnerability.
• php: Examine AVideo server access logs for requests to unusual or internal URLs originating from authenticated uploaders.
grep 'downloadURL=[^&]+' /var/log/apache2/access.log | grep 'AVideo'• php: Check AVideo configuration files for any unusual or overly permissive network settings. • generic web: Monitor AVideo server response headers for unexpected content types or unusual data being served. • generic web: Use a web application firewall (WAF) to block requests containing suspicious URLs or patterns in the downloadURL parameter.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-39370 is to upgrade AVideo to version 26.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting network access for the AVideo server to only necessary resources, implementing strict input validation on the downloadURL parameter to prevent malicious characters or unexpected extensions, and monitoring AVideo logs for suspicious activity. After upgrading, confirm the fix by attempting an upload with a known malicious URL and verifying that the server does not fetch the response.
Mettez à jour AVideo à la version 26.1 ou supérieure pour atténuer la vulnérabilité SSRF. La mise à jour corrige un défaut de validation des URL de téléchargement qui permettait aux attaquants d'exfiltrer des réponses internes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-39370 is a Server-Side Request Forgery vulnerability in AVideo versions 0.0.0 through 26.0, allowing attackers to exfiltrate data via the upload-by-URL feature.
You are affected if you are running AVideo versions 0.0.0 through 26.0. Upgrade to version 26.1 or later to mitigate the risk.
Upgrade AVideo to version 26.1 or later. As a temporary workaround, restrict network access and implement strict input validation on the downloadURL parameter.
There is currently no evidence of active exploitation, but the vulnerability is considered exploitable and could be targeted in the future.
Refer to the AVideo project's official website and security advisories for the latest information and updates regarding CVE-2026-39370.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.