CVE-2026-34740

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and earlier

Description AVideo, an open source video platform, contains a stored server-side request forgery (SSRF) issue in the Electronic Program Guide (EPG) link feature. Authenticated users with upload permissions can store arbitrary URLs, which the server retrieves when an EPG page is visited. The URL validation uses PHP's FILTER VALIDATE URL, which permits internal network addresses. The isSSRFSafeURL() function, designed to prevent SSRF, is not utilized in this specific code path. This allows for potential scanning of internal networks, access to cloud metadata services, and interaction with internal services.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.