CVE-2026-27732Server-Side Request Forgery in Avideo

CWE-918Server-Side Request Forgery7 documents4 sources
Severity
8.6HIGHNVD
NVD7.1
EPSS
0.0%
top 89.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedFeb 24
Latest updateApr 8

Description

WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata ser

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDwwbn/avideo< 22.0
CVEListV5wwbn/avideo26.0
Packagistwwbn/avideo21.0.0+1

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)2026-04-08
OSV
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php2026-02-25
GHSA
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php2026-02-25

🕵️Threat Intelligence

2
Wiz
CVE-2026-39370 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27732 Impact, Exploitability, and Mitigation Steps | Wiz