Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
AnalysisAI
Server-Side Request Forgery (SSRF) in WWBN AVideo 26.0 and earlier allows authenticated uploaders to exfiltrate data from internal network resources via objects/aVideoEncoder.json.php. The flaw bypasses existing SSRF protections by permitting attacker-controlled URLs with common media extensions (.mp4, .mp3, .zip, .jpg, .png, .gif, .webm), forcing the server to fetch and store arbitrary remote content. This represents an incomplete fix for CVE-2026-27732. No public exploit identified at time of analysis. CVSS 7.1 with network-accessible attack vector requiring low-privileged authentication.
Technical ContextAI
The vulnerability resides in WWBN AVideo's aVideoEncoder.json.php endpoint, which implements an upload-by-URL feature for ingesting media content. The flaw stems from insufficient input validation on the downloadURL parameter - specifically, extension-based allowlisting logic that permits common media and archive file types without adequately verifying the URL destination. When an authenticated user with upload privileges submits a crafted URL ending in an approved extension, the server initiates an HTTP request to the attacker-specified target and persists the response as media content. This violates the fundamental SSRF mitigation principle of never trusting user-controlled URLs for server-side fetch operations. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and affects the PHP-based AVideo platform (CPE: cpe:2.3:a:wwbn:avideo). The issue represents a bypass of prior CVE-2026-27732 remediation, indicating the original fix employed extension-based filtering rather than robust URL validation schemes like destination allowlisting or metadata-based content verification.
RemediationAI
Upgrade to the patched AVideo version referenced in the vendor security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9. Upstream fix available (PR/commit); released patched version not independently confirmed from provided data. As interim mitigation, restrict upload-by-URL functionality to trusted users only via role-based access controls, implement network egress filtering to block server-initiated requests to private IP ranges (RFC 1918, RFC 4193, 169.254.0.0/16), and enforce strict URL validation with destination allowlisting rather than extension-based filtering. Deploy Web Application Firewall (WAF) rules to detect and block suspicious downloadURL patterns containing internal IP addresses or cloud metadata endpoints. Review server network segmentation to ensure the AVideo application cannot reach sensitive internal services or cloud instance metadata APIs.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19886
GHSA-cmcr-q4jf-p6q9