Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
AVideo can be tricked into accessing unauthorized internal servers
CVE-2026-27732
GHSA-h39h-7cvg-q7j6
Summary
AVideo versions prior to 22 allow an authenticated user to secretly access internal servers and data. This could let an attacker get sensitive information or gain further access to the system. To fix this, upgrade to AVideo version 22 as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 21.0.0 | – |
| wwbn | avideo | <= 22.0 | – |
Original title
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Original description
### Vulnerability Type
Authenticated Server-Side Request Forgery (SSRF)
### Affected Product/Versions
AVideo versions prior to 22 (tested on AVideo 21.x).
### Root Cause Summary
The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).
### Impact Summary
An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.
### Resolution/Fix
This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible.
### Credits/Acknowledgement
Thanks to Arkadiusz Marta for responsibly reporting this issue.
- GitHub Profile: https://github.com/arkmarta/
Authenticated Server-Side Request Forgery (SSRF)
### Affected Product/Versions
AVideo versions prior to 22 (tested on AVideo 21.x).
### Root Cause Summary
The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).
### Impact Summary
An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.
### Resolution/Fix
This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible.
### Credits/Acknowledgement
Thanks to Arkadiusz Marta for responsibly reporting this issue.
- GitHub Profile: https://github.com/arkmarta/
nvd CVSS3.1
8.1
nvd CVSS4.0
8.6
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/WWBN/AVideo/releases/tag/22.0 Product
- https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27732
- https://github.com/advisories/GHSA-h39h-7cvg-q7j6
- https://github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853 Patch
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026