CVE-2026-27732

UNKNOWN 0.0

AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.

CWE	CWE-918
Vendor	wwbn
Product	avideo
Published	Feb 24, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WWBN / AVideo

< 22.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6 github.com: https://github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853 github.com: https://github.com/WWBN/AVideo/releases/tag/22.0