CVE-2026-39370 HIGH

CVE-2026-39370: WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)

Vendor Wwbn
Product AVideo
Weakness CWE-918 · SSRF
Published April 7, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-54122 Manager-io/Manager allows unauthenticated full read server-side request forgery in "proxy" endpoint CVE-2026-26150 Microsoft Purview eDiscovery Elevation of Privilege Vulnerability CVE-2026-5417 Dataease SQLbot Elasticsearch es_engine.py get_es_data_by_http server-side request forgery CVE-2022-23206 Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth CVE-2026-41172 Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)