Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
AVideo Open Source Video Platform Allows Malicious File Downloads
CVE-2026-39370
GHSA-cmcr-q4jf-p6q9
Summary
AVideo's open source video platform has a security issue that allows attackers to trick the system into downloading malicious files. This can happen when a user uploads a file with a malicious URL, which can lead to unauthorized access to sensitive information. To fix this, update to version 26.1 or later to prevent this type of attack.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | – |
Original title
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
Original description
## Summary
The fix for [CVE-2026-27732](https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6) is incomplete.
`objects/aVideoEncoder.json.php` still allows attacker-controlled `downloadURL` values with common media or archive extensions such as `.mp4`, `.mp3`, `.zip`, `.jpg`, `.png`, `.gif`, and `.webm` to bypass SSRF validation. The server then fetches the response and stores it as media content.
This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive.
## Details
`objects/aVideoEncoder.json.php` accepts attacker-controlled `downloadURL` and passes it to `downloadVideoFromDownloadURL()`.
Inside that function:
1. the URL extension is extracted from the attacker-controlled path
2. the extension is checked against an allowlist of normal encoder formats
3. `isSSRFSafeURL()` is skipped for common media and archive extensions
4. the URL is fetched via `url_get_contents()`
5. the fetched body is written into video storage and exposed through normal media metadata
The current code still contains:
- an extension-based bypass for SSRF validation
- no mandatory initial-destination SSRF enforcement inside `url_get_contents()` itself
This means internal URLs such as:
`http://127.0.0.1:9998/probe.mp4`
remain reachable from the application host.
This issue is best described as an incomplete fix / patch bypass of `CVE-2026-27732`, not a separate unrelated SSRF class.
## Proof of concept
1. Log in as a low-privilege uploader.
2. Start an HTTP service reachable only from inside the application environment, for example:
```text
http://127.0.0.1:9998/probe.mp4
```
3. Confirm that the service is not reachable externally.
4. Send:
```text
POST /objects/aVideoEncoder.json.php
downloadURL=http://127.0.0.1:9998/probe.mp4
format=mp4
```
5. If needed, replay once against the returned `videos_id` with `first_request=1` so the fetched bytes land in the normal media path.
6. Query:
```text
GET /objects/videos.json.php?showAll=1
```
7. Recover `videosURL.mp4.url`.
8. Download that media URL and observe that the body matches the internal-only response byte-for-byte.
## Impact
An authenticated uploader can make the AVideo server fetch loopback or internal HTTP resources and persist the response as media content by supplying a `downloadURL` ending in an allowlisted extension such as `.mp4`, `.jpg`, `.gif`, or `.zip`. Because SSRF validation is skipped for those extensions, the fetched body is stored and later retrievable through the generated `/videos/...` media URL. Successful exploitation allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host.
## Recommended fix
- Apply `isSSRFSafeURL()` to all `downloadURL` inputs regardless of extension
- Remove extension-based exceptions from SSRF enforcement
- Move initial-destination SSRF validation into `url_get_contents()` so call sites cannot skip it
- Avoid storing arbitrary fetched content directly as publicly retrievable media
- Consider restricting upload-by-URL to an explicit allowlist of trusted fetch origins
The fix for [CVE-2026-27732](https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6) is incomplete.
`objects/aVideoEncoder.json.php` still allows attacker-controlled `downloadURL` values with common media or archive extensions such as `.mp4`, `.mp3`, `.zip`, `.jpg`, `.png`, `.gif`, and `.webm` to bypass SSRF validation. The server then fetches the response and stores it as media content.
This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive.
## Details
`objects/aVideoEncoder.json.php` accepts attacker-controlled `downloadURL` and passes it to `downloadVideoFromDownloadURL()`.
Inside that function:
1. the URL extension is extracted from the attacker-controlled path
2. the extension is checked against an allowlist of normal encoder formats
3. `isSSRFSafeURL()` is skipped for common media and archive extensions
4. the URL is fetched via `url_get_contents()`
5. the fetched body is written into video storage and exposed through normal media metadata
The current code still contains:
- an extension-based bypass for SSRF validation
- no mandatory initial-destination SSRF enforcement inside `url_get_contents()` itself
This means internal URLs such as:
`http://127.0.0.1:9998/probe.mp4`
remain reachable from the application host.
This issue is best described as an incomplete fix / patch bypass of `CVE-2026-27732`, not a separate unrelated SSRF class.
## Proof of concept
1. Log in as a low-privilege uploader.
2. Start an HTTP service reachable only from inside the application environment, for example:
```text
http://127.0.0.1:9998/probe.mp4
```
3. Confirm that the service is not reachable externally.
4. Send:
```text
POST /objects/aVideoEncoder.json.php
downloadURL=http://127.0.0.1:9998/probe.mp4
format=mp4
```
5. If needed, replay once against the returned `videos_id` with `first_request=1` so the fetched bytes land in the normal media path.
6. Query:
```text
GET /objects/videos.json.php?showAll=1
```
7. Recover `videosURL.mp4.url`.
8. Download that media URL and observe that the body matches the internal-only response byte-for-byte.
## Impact
An authenticated uploader can make the AVideo server fetch loopback or internal HTTP resources and persist the response as media content by supplying a `downloadURL` ending in an allowlisted extension such as `.mp4`, `.jpg`, `.gif`, or `.zip`. Because SSRF validation is skipped for those extensions, the fetched body is stored and later retrievable through the generated `/videos/...` media URL. Successful exploitation allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host.
## Recommended fix
- Apply `isSSRFSafeURL()` to all `downloadURL` inputs regardless of extension
- Remove extension-based exceptions from SSRF enforcement
- Move initial-destination SSRF validation into `url_get_contents()` so call sites cannot skip it
- Avoid storing arbitrary fetched content directly as publicly retrievable media
- Consider restricting upload-by-URL to an explicit allowlist of trusted fetch origins
nvd CVSS3.1
7.1
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026