CVE-2026-39370

HIGH

WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9

Scores

CVSS v3 7.1

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

wwbn/avideo < 26.0

WWBN/AVideo 0Packagist

WWBN/AVideo <= 26.0

Published Apr 07, 2026

Tracked Since Apr 08, 2026