GHSA-wxjx-r2j2-96fx: AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php

The plugin/Live/test.php endpoint accepts a URL via the statsURL parameter and fetches it server-side using file_get_contents(), curl_exec(), or wget, returning the full response content in the HTML output. The only validation is a trivial regex (/^http/) that does not block requests to internal/private IP ranges or cloud metadata endpoints. The codebase provides isSSRFSafeURL() which blocks private IPs and resolves DNS to prevent rebinding, but this endpoint does not call it. An authenticated admin can read responses from cloud metadata services, internal network services, and localhost endpoints.