Description
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
Published: 2026-02-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

An authenticated SSRF flaw exists in the video platform, where the aVideoEncoder.json.php endpoint accepts a downloadURL parameter and fetches the target resource on the server without validation. This flaw allows an attacker to compel the server to access arbitrary URLs, including internal network endpoints. The resulting data retrieval can expose sensitive internal APIs, metadata services, or other systems, and may enable further compromise depending on the environment. The weakness corresponds to CWE‑918.

Affected Systems

The vulnerability affects all installations of WWBN AVideo versions prior to 22.0. The fix was introduced in release 22.0, so systems running older releases are at risk.

Risk and Exploitability

The issue carries a CVSS score of 8.6, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of active exploitation at present, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with access to the API, after which the attacker can invoke the SSRF using any URL. In environments with exposed internal services, this could lead to data leakage or further lateral movement.

Generated by OpenCVE AI on April 17, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo 22.0 or later to eliminate the SSRF vulnerability.
  • Restrict the downloadURL parameter to an allow‑list of approved domains or IP ranges, and configure the server to validate and reject any URL that points to internal or non-public addresses.
  • Disable or restrict API access for users lacking explicit permission to trigger server‑side requests.

Generated by OpenCVE AI on April 17, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h39h-7cvg-q7j6 AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
Title AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:49:38.424Z

Reserved: 2026-02-23T18:37:14.789Z

Link: CVE-2026-27732

cve-icon Vulnrichment

Updated: 2026-02-27T20:49:35.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T15:21:39.163

Modified: 2026-02-25T16:52:33.227

Link: CVE-2026-27732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses