CVE-2026-39370 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then...

EUVD-2026-5363

OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/fil...

PT-2026-6291

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.30 Description OpenClaw is a personal AI assistant. The isValidMedia function in src/media/parse.ts allows arbitrary file paths, including absolute paths, home directory paths, and directory traversal sequence...

Authentication Bypass

ReadyMedia is vulnerable to authentication bypass. The vulnerability exists due to a rebinding issue which allows an attacker to exfiltrate media files of a remote web server...

CVE-2022-26505

A DNS rebinding issue in ReadyMedia formerly MiniDLNA before 1.3.1 allows a remote web server to exfiltrate media files...

UBUNTU-CVE-2022-26505

A DNS rebinding issue in ReadyMedia formerly MiniDLNA before 1.3.1 allows a remote web server to exfiltrate media files...

CVE-2022-26505

A DNS rebinding issue in ReadyMedia formerly MiniDLNA before 1.3.1 allows a remote web server to exfiltrate media files...