CVE-2026-27732 HIGH

CVE-2026-27732: AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

Vendor Wwbn

Product AVideo

Weakness CWE-918 · SSRF

Published February 24, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.

Key dates

Disclosure timeline

February 24, 2026 CVE published

February 27, 2026 Record updated