Skip to main content

PHP CVE-2026-39370

| EUVDEUVD-2026-19886 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-07 GitHub_M GHSA-cmcr-q4jf-p6q9
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 18:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19886
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:26 nvd
HIGH 7.1

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.

AnalysisAI

Server-Side Request Forgery (SSRF) in WWBN AVideo 26.0 and earlier allows authenticated uploaders to exfiltrate data from internal network resources via objects/aVideoEncoder.json.php. The flaw bypasses existing SSRF protections by permitting attacker-controlled URLs with common media extensions (.mp4, .mp3, .zip, .jpg, .png, .gif, .webm), forcing the server to fetch and store arbitrary remote content. This represents an incomplete fix for CVE-2026-27732. No public exploit identified at time of analysis. CVSS 7.1 with network-accessible attack vector requiring low-privileged authentication.

Technical ContextAI

The vulnerability resides in WWBN AVideo's aVideoEncoder.json.php endpoint, which implements an upload-by-URL feature for ingesting media content. The flaw stems from insufficient input validation on the downloadURL parameter - specifically, extension-based allowlisting logic that permits common media and archive file types without adequately verifying the URL destination. When an authenticated user with upload privileges submits a crafted URL ending in an approved extension, the server initiates an HTTP request to the attacker-specified target and persists the response as media content. This violates the fundamental SSRF mitigation principle of never trusting user-controlled URLs for server-side fetch operations. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and affects the PHP-based AVideo platform (CPE: cpe:2.3:a:wwbn:avideo). The issue represents a bypass of prior CVE-2026-27732 remediation, indicating the original fix employed extension-based filtering rather than robust URL validation schemes like destination allowlisting or metadata-based content verification.

RemediationAI

Upgrade to the patched AVideo version referenced in the vendor security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9. Upstream fix available (PR/commit); released patched version not independently confirmed from provided data. As interim mitigation, restrict upload-by-URL functionality to trusted users only via role-based access controls, implement network egress filtering to block server-initiated requests to private IP ranges (RFC 1918, RFC 4193, 169.254.0.0/16), and enforce strict URL validation with destination allowlisting rather than extension-based filtering. Deploy Web Application Firewall (WAF) rules to detect and block suspicious downloadURL patterns containing internal IP addresses or cloud metadata endpoints. Review server network segmentation to ensure the AVideo application cannot reach sensitive internal services or cloud instance metadata APIs.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-39370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy