CVE-2026-27732
SSRF Vulnerability in WWBN AVideo aVideoEncoder API
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27732 is an authenticated Server-Side Request Forgery (SSRF) vulnerability affecting WWBN AVideo versions prior to 22.0. The vulnerability exists in the aVideoEncoder.json.php API endpoint, which accepts a downloadURL parameter and fetches the specified resource server-side without proper validation or an allow-list.
This flaw allows authenticated users to make the server perform arbitrary HTTP requests to any URL, including internal network endpoints. Exploiting this SSRF can enable attackers to interact with internal services and access sensitive data such as internal APIs or metadata services.
The issue has been fixed in AVideo version 22.0 by implementing strict URL validation and blocking requests to internal or restricted network addresses.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to leverage SSRF to interact with internal services that are normally inaccessible from outside the server.
By exploiting this, attackers can retrieve sensitive data such as internal APIs or metadata services, which may contain confidential information.
Depending on the deployment environment, this could lead to further compromise, including unauthorized access, data leakage, or escalation of privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an authenticated Server-Side Request Forgery (SSRF) in the aVideoEncoder.json.php API endpoint, which accepts a downloadURL parameter and fetches resources server-side without proper validation.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor server logs for unusual or unauthorized HTTP requests initiated by the server to internal or unexpected external URLs, especially those involving the downloadURL parameter in API calls.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect potential exploitation include:'}, {'type': 'list_item', 'content': "Use web server access logs to search for requests to the vulnerable endpoint with the downloadURL parameter, e.g., `grep 'aVideoEncoder.json.php' /var/log/apache2/access.log | grep 'downloadURL='`"}, {'type': 'list_item', 'content': 'Monitor outgoing HTTP requests from the server to internal IP ranges or unusual URLs using network monitoring tools like `tcpdump` or `wireshark` filtering for HTTP traffic.'}, {'type': 'list_item', 'content': 'Check application logs for error messages related to blocked or invalid URLs if the SSRF protection is enabled (in version 22.0 and later).'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade WWBN AVideo to version 22.0 or later, where the vulnerability has been fixed.
Version 22.0 introduces a comprehensive SSRF protection function (`isSSRFSafeURL()`) that validates URLs before fetching, blocking requests to localhost, internal IP ranges, cloud metadata services, and other unsafe destinations.
If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoint to trusted users only and monitoring for suspicious activity as a temporary measure.