CVE-2026-56342 in AVideoinfo

Summary

by MITRE • 06/20/2026

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

VulnCheck

Reservation

06/20/2026

Disclosure

06/20/2026

Moderation

accepted

Entry

VDB-372568

CPE

ready

CWE

CWE-918 (confirmed)

CVSS

6.8 (CNA)

EPSS

0.00000

KEV

Activities

low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-56342
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-56342
CVE Details	https://www.cvedetails.com/cve/CVE-2026-56342/

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!