CVE-2026-39370
Received Received - Intake
SSRF Vulnerability in WWBN AVideo Encoder Allows Data Exfiltration

Publication date: 2026-04-07

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39370
EUVD
EUVD-2026-19886
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39370 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in WWBN AVideo versions 26.0 and prior. It occurs because the application allows attacker-controlled downloadURL parameters with certain common media or archive file extensions (like .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm) to bypass SSRF validation.

The server fetches the content from these URLs and stores it as media content. This means an authenticated uploader can exploit the upload-by-URL feature to make the server request internal or protected URLs, bypassing SSRF protections, and then exfiltrate the internal responses by retrieving the stored media files.

The vulnerability is caused by an incomplete fix for a previous SSRF issue (CVE-2026-27732) and relies on the fact that SSRF validation is skipped for URLs with certain file extensions, allowing internal-only HTTP services to be accessed and their responses exposed.

Impact Analysis

This vulnerability can allow an authenticated uploader to perform SSRF attacks that bypass normal validation, enabling them to access internal or protected network resources that should not be publicly accessible.

The attacker can cause the server to fetch internal URLs and then exfiltrate the responses by storing them as media files accessible through the platform's media endpoints.

This can lead to unauthorized disclosure of sensitive internal information, potentially exposing internal services, metadata, or other confidential data.

The attack requires only low privileges (authenticated uploader) and no user interaction, making it a significant risk in environments where users have upload permissions.

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the endpoint `objects/aVideoEncoder.json.php` that include a `downloadURL` parameter pointing to internal or loopback addresses with allowed media or archive file extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, or .webm.

A proof of concept involves sending a POST request with a `downloadURL` targeting an internal HTTP service and then checking if the response content is stored and accessible via the `/objects/videos.json.php` endpoint.

Suggested commands to detect exploitation attempts include using network monitoring tools or curl commands to simulate or detect such requests, for example:

  • Use curl to test the vulnerable endpoint with an internal URL: `curl -X POST -d "downloadURL=http://127.0.0.1:9998/probe.mp4" https://your-avideo-instance/objects/aVideoEncoder.json.php`
  • Check stored media via: `curl https://your-avideo-instance/objects/videos.json.php` to see if the internal response content has been exfiltrated.
  • Monitor web server logs or use intrusion detection systems to flag POST requests to `objects/aVideoEncoder.json.php` with suspicious internal IP addresses or loopback addresses in the `downloadURL` parameter.
Mitigation Strategies

Immediate mitigation steps include:

  • Apply SSRF validation (`isSSRFSafeURL()`) to all `downloadURL` inputs regardless of file extension, removing any extension-based exceptions.
  • Move SSRF validation into the `url_get_contents()` function to ensure enforcement at all call sites.
  • Avoid storing arbitrary fetched content directly as publicly accessible media files.
  • Restrict the upload-by-URL functionality to an explicit allowlist of trusted origins.

These steps address the root cause of the vulnerability and prevent attackers from exploiting the upload-by-URL feature to perform SSRF attacks.

Compliance Impact

The vulnerability allows an authenticated uploader to exfiltrate internal server responses by bypassing SSRF protections, potentially exposing sensitive internal data.

Such unauthorized data exposure could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls on access to and disclosure of sensitive information.

Because the vulnerability enables confidential internal data to be accessed and stored as publicly retrievable media files, it increases the risk of non-compliance with standards mandating confidentiality and integrity of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart