Lucene search
K

7 matches found

NVD
NVD
added 2026/06/20 7:16 p.m.14 views

CVE-2026-56342

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

6.8CVSS0.00236EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 6:27 p.m.19 views

CVE-2026-56342 AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

6.8CVSS0.00236EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.17 views

PT-2026-51174

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 27.1 Description Authenticated administrators can perform server-side request forgery SSRF—a flaw where a server is tricked into making requests to an unintended location—via the 'plugin/Live/test.php' endpoint. The...

6.8CVSS5.8AI score0.00236EPSS
Exploits0References9
Snyk
Snyk
added 2026/03/25 7:53 p.m.6 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the statsURL parameter in the plugin/Live/test.php endpoint. An administrator can access sensitive internal resources and clou...

6.9CVSS5.9AI score0.00236EPSS
Exploits0References2
OSV
OSV
added 2026/03/25 7:53 p.m.3 views

GHSA-WXJX-R2J2-96FX AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php

Summary The plugin/Live/test.php endpoint accepts a URL via the statsURL parameter and fetches it server-side using filegetcontents, curlexec, or wget, returning the full response content in the HTML output. The only validation is a trivial regex /^http/ that does not block requests to...

4.9CVSS5.8AI score
Exploits0References3
Prion
Prion
added 2018/09/16 2:29 a.m.22 views

Open redirect

The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter...

5.8CVSS6.4AI score0.01199EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2018/09/16 2:29 a.m.3 views

CVE-2018-17074

The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter...

6.1CVSS5.8AI score
Exploits0References4
Rows per page
Query Builder