CVE-2026-39368

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo is an open source video platform. Versions 26.0 and prior are susceptible to a Server-Side Request Forgery (SSRF) issue within the Live restream log callback flow. This flow accepts a restreamerURL controlled by an attacker and subsequently fetches this URL server-side. This enables a stored SSRF, allowing authenticated streamers to trigger requests to loopback or internal HTTP services through the restream log feature. A low-privilege user with streaming permission can store an arbitrary callback URL and initiate server-side requests to internal resources.

Recommendations Update AVideo to a version later than 26.0.