{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41060/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-41060"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","cve-2026-41060","web-application"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-41060, in versions 29.0 and below. The vulnerability resides within the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function located in \u003ccode\u003eobjects/functions.php\u003c/code\u003e. This function contains a flawed same-domain shortcircuit (lines 4290-4296) that permits any URL whose hostname matches \u003ccode\u003ewebSiteRootURL\u003c/code\u003e to bypass SSRF protections. The insufficient check only compares the hostname and neglects the port, enabling an attacker to target arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. Successful exploitation allows the attacker to save the response body to a publicly accessible path, resulting in full data exfiltration. The vulnerability is patched in commit a0156a6398362086390d949190f9d52a823000ba. Defenders should prioritize patching vulnerable instances to prevent unauthorized data access and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL using the target AVideo server's hostname, but specifies a non-standard port (e.g., \u003ccode\u003ehttps://target-avideo.com:1337\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted URL into a feature that utilizes the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function, such as a video import or URL preview functionality.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function incorrectly validates the URL due to the hostname match, bypassing the intended SSRF protections.\u003c/li\u003e\n\u003cli\u003eThe AVideo server initiates a request to the attacker-controlled port (e.g., 1337) on the AVideo server itself.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a listener on the specified port to capture sensitive information or internal service responses.\u003c/li\u003e\n\u003cli\u003eThe response body from the internal request is saved to a web-accessible path on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the web-accessible path to retrieve the exfiltrated data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-41060) can lead to the exposure of sensitive information stored on the AVideo server or accessible via internal network resources. An attacker can potentially access internal services, databases, or configuration files. Depending on the nature of the exposed data, this could result in data breaches, unauthorized access to user accounts, or complete system compromise. Given the open-source nature of AVideo, a widespread vulnerability such as this could affect a significant number of installations, impacting organizations across various sectors using the platform for video hosting and distribution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit a0156a6398362086390d949190f9d52a823000ba to remediate the SSRF vulnerability (CVE-2026-41060).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests containing the AVideo server's hostname with non-standard ports to identify potential exploitation attempts. Deploy the provided Sigma rule targeting this behavior.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks by restricting access to internal resources from the AVideo server.\u003c/li\u003e\n\u003cli\u003eRegularly audit and update all third-party software and libraries used by AVideo to address known security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T12:00:00Z","date_published":"2024-01-19T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/","summary":"WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an insufficient hostname check in the `isSSRFSafeURL()` function, allowing attackers to reach arbitrary ports on the AVideo server and exfiltrate data.","title":"WWBN AVideo SSRF Vulnerability (CVE-2026-41060)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-41060","version":"https://jsonfeed.org/version/1.1"}