Skip to content
Threat Feed
high advisory

WWBN AVideo SSRF Vulnerability via Incomplete CVE-2026-27732 Fix

WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.

WWBN AVideo, a video-sharing platform, is susceptible to Server-Side Request Forgery (SSRF) vulnerability due to an incomplete patch for CVE-2026-27732. The vulnerability exists in the objects/aVideoEncoder.json.php script. An authenticated uploader can provide a malicious downloadURL containing a common media extension like .mp4, .jpg, .gif, or .zip, bypassing SSRF validation. This allows the attacker to force the server to fetch internal resources. The server fetches the specified URL using url_get_contents(), stores the response as media content, and makes it accessible through the /videos/... endpoint. This vulnerability, identified as CVE-2026-39370, affects AVideo versions 26.0 and earlier. Exploitation enables exfiltration of sensitive data from internal APIs and services.

Attack Chain

  1. An attacker logs in as a low-privilege authenticated user with upload privileges.
  2. The attacker crafts a malicious downloadURL pointing to an internal resource (e.g., http://127.0.0.1:9998/probe.mp4).
  3. The attacker sends a POST request to /objects/aVideoEncoder.json.php with the downloadURL and a valid format parameter (e.g., mp4).
  4. AVideo’s downloadVideoFromDownloadURL() function extracts the extension and incorrectly skips isSSRFSafeURL() validation due to the allowlisted extension.
  5. The server fetches the content from the attacker-controlled downloadURL using url_get_contents().
  6. The fetched content is written into video storage.
  7. The attacker retrieves the media metadata using GET /objects/videos.json.php?showAll=1 to obtain the videosURL.mp4.url.
  8. The attacker downloads the media URL and recovers the content from the internal resource.

Impact

Successful exploitation allows an authenticated uploader to force the AVideo server to fetch internal resources and persist the response as media content. This Server-Side Request Forgery (SSRF) vulnerability allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host. The number of potential victims is related to the installations of AVideo with versions less than or equal to 26.0, and the sectors primarily affected are likely media and entertainment, as well as organizations utilizing AVideo for internal video hosting.

Recommendation

  • Apply isSSRFSafeURL() to all downloadURL inputs in objects/aVideoEncoder.json.php, regardless of file extension to remediate CVE-2026-39370.
  • Deploy the Sigma rule “Detect AVideo SSRF Attempt via DownloadURL” to identify potential exploitation attempts based on requests to /objects/aVideoEncoder.json.php.
  • Restrict upload-by-URL functionality to an explicit allowlist of trusted fetch origins.

Detection coverage 2

Detect AVideo SSRF Attempt via DownloadURL

high

Detects attempts to exploit the AVideo SSRF vulnerability (CVE-2026-39370) by monitoring requests to the vulnerable endpoint with a suspicious downloadURL.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Internal IP in DownloadURL Parameter

medium

Detects attempts to use internal IP addresses within the downloadURL parameter, indicating a potential SSRF attempt.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

1

url

TypeValue
urlhttp://127.0.0.1:9998/probe.mp4