GHSA-H39H-7CVG-Q7J6

Vulnerability from github – Published: 2026-02-25 18:57 – Updated: 2026-02-25 18:57
VLAI?
Summary
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Details

Vulnerability Type

Authenticated Server-Side Request Forgery (SSRF)

Affected Product/Versions

AVideo versions prior to 22 (tested on AVideo 21.x).

Root Cause Summary

The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).

Impact Summary

An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.

Resolution/Fix

This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible.

Credits/Acknowledgement

Thanks to Arkadiusz Marta for responsibly reporting this issue. - GitHub Profile: https://github.com/arkmarta/

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "21.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:57:05Z",
    "nvd_published_at": "2026-02-24T15:21:39Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerability Type\nAuthenticated Server-Side Request Forgery (SSRF)\n\n### Affected Product/Versions\nAVideo versions prior to 22 (tested on AVideo 21.x).\n\n### Root Cause Summary\nThe `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).\n\n### Impact Summary\nAn authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.\n\n### Resolution/Fix\nThis issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible.\n\n### Credits/Acknowledgement\nThanks to Arkadiusz Marta for responsibly reporting this issue.\n- GitHub Profile: https://github.com/arkmarta/",
  "id": "GHSA-h39h-7cvg-q7j6",
  "modified": "2026-02-25T18:57:05Z",
  "published": "2026-02-25T18:57:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/releases/tag/22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.