Medium severity6.5NVD Advisory· Published Apr 7, 2026· Updated Apr 22, 2026

CVE-2026-39368

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
WWBN/AVideoPackagist	<= 26.0	—

Affected products

WWBN/Avideo
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Range: <=26.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-q4x6-6mm2-crg9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39368ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000