CVE-2026-27732
published 2026-02-24CVE-2026-27732: WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches…
PriorityP352high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.24%
14.4th percentile
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | < 22.0 | 22.0 |
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 21.0.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
ghsa·2026-04-08·CVSS 8.6
CVE-2026-39370 [HIGH] CWE-918 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
## Summary
The fix for [CVE-2026-27732](https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6) is incomplete.
`objects/aVideoEncoder.json.php` still allows attacker-controlled `downloadURL` values with common media or archive extensions such as `.mp4`, `.mp3`, `.zip`, `.jpg`, `.png`, `.gif`, and `.webm` to bypass SSRF validation. The server then fetches the response and stores it as media content.
This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive.
## Details
`objects/aVideoEncoder.json.php` accepts attacker-controlled `downloadURL` and pa
OSV
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
osv·2026-02-25
CVE-2026-27732 [HIGH] AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
### Vulnerability Type
Authenticated Server-Side Request Forgery (SSRF)
### Affected Product/Versions
AVideo versions prior to 22 (tested on AVideo 21.x).
### Root Cause Summary
The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).
### Impact Summary
An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deploy
GHSA
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
ghsa·2026-02-25
CVE-2026-27732 [HIGH] CWE-918 AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
### Vulnerability Type
Authenticated Server-Side Request Forgery (SSRF)
### Affected Product/Versions
AVideo versions prior to 22 (tested on AVideo 21.x).
### Root Cause Summary
The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).
### Impact Summary
An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deploy
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-39370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-39370 [HIGH] CVE-2026-39370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39370 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
Source : NVD
## 7.1
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2026-27732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-27732 [HIGH] CVE-2026-27732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27732 :
PHP vulnerability analysis and mitigation
aVideoEncoder.json.php
downloadURL
Source : NVD
## 8.6
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wwbn/avideo
Sources
NVD
Composer Severity HIGH No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related PHP vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
GHSA-h6r
2026-02-24
Published