CVE-2026-27732
HIGH
GHSA-h39h-7cvg-q7j6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
Analysis
Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WWBN AVideo instances and document their current versions. Within 7 days: Upgrade all affected deployments to version 22.0 or later, or implement network-level compensating controls if immediate patching is not feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today