CVE-2026-56342 AVideo CVE debrief

Who should care

AVideo users, particularly those with versions up to 27.0, should be aware of this vulnerability. Authenticated administrators are at risk of being exploited, potentially leading to unauthorized access to sensitive information. Security teams responsible for AVideo installations should assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The CVE-2026-56342 vulnerability is caused by the lack of isSSRFSafeURL() validation in the statsURL parameter of the plugin/Live/test.php file in AVideo versions up to 27.0. This allows authenticated administrators to craft requests to internal services, cloud metadata endpoints (e.g., 169.254.169.254), and localhost. Successful exploitation could lead to the retrieval of sensitive information, including IAM credentials, internal service responses, and network configuration details.

Defensive priority

Medium priority due to the moderate CVSS score and potential for sensitive information disclosure.

Recommended defensive actions

• Apply the official patch or upgrade to a version beyond 27.0.
• Review and restrict access to the plugin/Live/test.php file.
• Implement additional validation for the statsURL parameter.
• Monitor for suspicious activity related to AVideo instances.
• Inventory AVideo installations and assess exposure.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-56342 record and references provided by NVD and Vulncheck. The affected product is AVideo, up to version 27.0. The vulnerability is confirmed to exist in the plugin/Live/test.php file. Defenders should verify the presence of this file and the statsURL parameter in their AVideo installations. They should also check for any existing patches or updates provided by the vendor.

Official resources