<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-41060 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-41060/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 19 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-41060/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo SSRF Vulnerability (CVE-2026-41060)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/</link><pubDate>Fri, 19 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/</guid><description>WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an insufficient hostname check in the `isSSRFSafeURL()` function, allowing attackers to reach arbitrary ports on the AVideo server and exfiltrate data.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-41060, in versions 29.0 and below. The vulnerability resides within the <code>isSSRFSafeURL()</code> function located in <code>objects/functions.php</code>. This function contains a flawed same-domain shortcircuit (lines 4290-4296) that permits any URL whose hostname matches <code>webSiteRootURL</code> to bypass SSRF protections. The insufficient check only compares the hostname and neglects the port, enabling an attacker to target arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. Successful exploitation allows the attacker to save the response body to a publicly accessible path, resulting in full data exfiltration. The vulnerability is patched in commit a0156a6398362086390d949190f9d52a823000ba. Defenders should prioritize patching vulnerable instances to prevent unauthorized data access and potential system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an AVideo instance running version 29.0 or below.</li>
<li>The attacker crafts a malicious URL using the target AVideo server's hostname, but specifies a non-standard port (e.g., <code>https://target-avideo.com:1337</code>).</li>
<li>The attacker injects the crafted URL into a feature that utilizes the <code>isSSRFSafeURL()</code> function, such as a video import or URL preview functionality.</li>
<li>The <code>isSSRFSafeURL()</code> function incorrectly validates the URL due to the hostname match, bypassing the intended SSRF protections.</li>
<li>The AVideo server initiates a request to the attacker-controlled port (e.g., 1337) on the AVideo server itself.</li>
<li>The attacker configures a listener on the specified port to capture sensitive information or internal service responses.</li>
<li>The response body from the internal request is saved to a web-accessible path on the AVideo server.</li>
<li>The attacker accesses the web-accessible path to retrieve the exfiltrated data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability (CVE-2026-41060) can lead to the exposure of sensitive information stored on the AVideo server or accessible via internal network resources. An attacker can potentially access internal services, databases, or configuration files. Depending on the nature of the exposed data, this could result in data breaches, unauthorized access to user accounts, or complete system compromise. Given the open-source nature of AVideo, a widespread vulnerability such as this could affect a significant number of installations, impacting organizations across various sectors using the platform for video hosting and distribution.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit a0156a6398362086390d949190f9d52a823000ba to remediate the SSRF vulnerability (CVE-2026-41060).</li>
<li>Inspect web server logs for requests containing the AVideo server's hostname with non-standard ports to identify potential exploitation attempts. Deploy the provided Sigma rule targeting this behavior.</li>
<li>Implement network segmentation to limit the impact of potential SSRF attacks by restricting access to internal resources from the AVideo server.</li>
<li>Regularly audit and update all third-party software and libraries used by AVideo to address known security vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>avideo</category><category>cve-2026-41060</category><category>web-application</category></item></channel></rss>