CVE-2026-39368
Last modified
CVE-2026-39368 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. EPSS estimates a 0.21% chance of exploitation in the next 30 days.
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39368?
How severe is CVE-2026-39368?
How do I fix CVE-2026-39368?
Are you affected by CVE-2026-39368?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST