EUVD-2026-19886
GHSA-cmcr-q4jf-p6q9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
Analysis
Server-Side Request Forgery (SSRF) in WWBN AVideo 26.0 and earlier allows authenticated uploaders to exfiltrate data from internal network resources via objects/aVideoEncoder.json.php. The flaw bypasses existing SSRF protections by permitting attacker-controlled URLs with common media extensions (.mp4, .mp3, .zip, .jpg, .png, .gif, .webm), forcing the server to fetch and store arbitrary remote content. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WWBN AVideo 26.0 and earlier installations in your environment and document current user roles with upload permissions. Within 7 days: Implement network-level controls restricting outbound connections from AVideo servers to internal network ranges (RFC 1918, link-local addresses), and disable upload functionality for non-essential user accounts pending patch availability. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today