AVideo SSRF via incomplete fix (CVE-2026-41064)

Patch now - CVE-2026-41064 is a critical server-side request forgery vulnerability in WWBN AVideo up to 29.0 that lets unauthenticated attackers scan internal networks and access cloud instance metadata from the server.

Overview

WWBN AVideo versions up to and including 29.0 contain a critical server-side request forgery (SSRF) vulnerability. An incomplete security fix for the test.php endpoint left two code paths using file_get_contents and curl unsanitized, allowing unauthenticated attackers to make arbitrary network requests from the server.

Technical Details

The original fix for test.php added escapeshellarg sanitization for the wget command, but did not apply similar protections to the file_get_contents and curl code paths. The URL validation regex /^http/ is insufficient - it accepts strings like httpevil[.]com, bypassing the intended http:// or https:// prefix requirement. This means an attacker can inject URLs that start with http but connect to internal services, cloud metadata endpoints, or other unintended targets.

The vulnerability requires no authentication, no user interaction, and can be exploited over the network with low complexity. The CVSS score of 9.3 reflects the ease of exploitation and the potential to access sensitive internal systems.

Impact

An unauthenticated attacker can use this SSRF to:

• Scan internal networks and discover services
• Access cloud instance metadata (e.g., AWS, GCP, Azure credential endpoints)
• Read local files if combined with other AVideo features
• Launch further attacks against internal systems from the AVideo server

While this vulnerability is not currently confirmed as actively exploited in the wild (as of the advisory publication date), the public availability of the incomplete fix details makes it a prime target for threat actors.

Remediation

The permanent fix is included in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536. AVideo administrators should:

1. Update to the latest patched version immediately
2. If immediate update is not possible, apply the commit manually or restrict access to test.php via web server configuration
3. Monitor network traffic from AVideo servers for unexpected outbound connections

For ongoing cybersecurity developments, refer to security news and review any related breach reports for context on similar SSRF attacks.

Security Insight

This vulnerability highlights a common pitfall in security patch management: incomplete fixes. The developers addressed one attack vector (wget) but left two others (file_get_contents and curl) untouched, plus a weak URL regex. This pattern - fixing the most obvious path while ignoring parallel code branches - appears regularly in open-source projects and underscores why thorough regression testing of security patches is essential. Organizations relying on forked or modified versions of open-source software should audit their own patch application processes to ensure all code paths are covered.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs