CVE-2026-39368

WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

INFO

Published Date :

2026-04-07T19:23:29.790Z

Last Modified :

2026-04-07T20:02:21.185Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39368 vulnerability.

Vendors	Products
Wwbn	Avideo

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39368.

URL	Resource
https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact