CVE-2026-39370
HIGHWWBN AVideo <= 26.0 - Server-Side Request Forgery Response Exfiltration
Title source: manualDescription
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9
Scores
CVSS v3
7.1
EPSS
0.0021
EPSS Percentile
10.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (3)
wwbn/avideo
< 26.0
WWBN/AVideo
0Packagist
WWBN/AVideo
<= 26.0
Published
Apr 07, 2026
Tracked Since
Apr 08, 2026